What starting position does this attack require?

The first step is Goods / cash-out laundering (T1041) — a exfiltration primitive. Assumed environment: target victim uses Apple Pay with Express Transit enabled and Visa as default.

What is the final impact of this kill-chain?

The final step lands on Set TTQ bit to claim CVM performed (NFC-LIMIT-BYPASS), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Apple Pay Express Transit relay → high-value contactless fraud

Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Exfiltration

Goods / cash-out laundering

T1041 · Exfiltration Over C2 Channel

Initial Access

Other end at attacker-controlled terminal

T1078 · Valid Accounts

Initial Access

Position attacker device near victim wallet

SE-PRETEXT · Pretexting

Lateral Movement

Issue high-value transaction

NFC-APPLE-PAY-RELAY · Apple Pay Express Transit Relay

Lateral Movement

Stand up NFC relay (proxmark / phone)

NFC-EMV-RELAY · Generic EMV Contactless Relay

Impact

Set TTQ bit to claim CVM performed

NFC-LIMIT-BYPASS · Contactless Limit Bypass

§ Context

Assumed environment: target victim uses Apple Pay with Express Transit enabled and Visa as default. Affected combination predates 2022 fixes; useful for replay-attack labs and OEM regression testing.

§ Steps

01
Goods / cash-out launderingExfiltration
T1041— Exfiltration Over C2 Channel
02
Other end at attacker-controlled terminalInitial Access
T1078— Valid Accounts
03
Position attacker device near victim walletInitial Access
SE-PRETEXT— Pretexting
04
Issue high-value transactionLateral Movement
NFC-APPLE-PAY-RELAY— Apple Pay Express Transit Relay
05
Stand up NFC relay (proxmark / phone)Lateral Movement
NFC-EMV-RELAY— Generic EMV Contactless Relay
06
Set TTQ bit to claim CVM performedImpact
NFC-LIMIT-BYPASS— Contactless Limit Bypass

§ References

T1041Exfiltration Over C2 Channel
T1078Valid Accounts

§ Frequently asked

What is the "Apple Pay Express Transit relay → high-value contactless fraud" attack path?: Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Goods / cash-out laundering (T1041) — a exfiltration primitive. Assumed environment: target victim uses Apple Pay with Express Transit enabled and Visa as default.
What is the final impact of this kill-chain?: The final step lands on Set TTQ bit to claim CVM performed (NFC-LIMIT-BYPASS), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Apple Pay Express Transit relay → high-value contactless fraud

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Vesting beneficiary replace → silently drain stream

Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

ERC-4626 first-depositor inflation → drain new deposits

Insider admin panel coercion → mass account takeover (Twitter 2020)

SAML signature wrapping (XSW) → impersonate admin

MEV bot honeypot → drain searcher