A device that allows criminals to clone contactless bank cards in bulk is up for sale on the so-called dark web.
The Contactless Infusion X5 can steal information from nearby cards, including the card number and the card holder's name and address.
This information can then be loaded onto blank cards to create clones that can be used to empty the victim's account.
The device is believed to be the first to specifically target contactless cards.
"It can read any bank card from 8cm away and will read 1024 bytes per second, which is equivalent to 15 bank cards per second," one fraudster told the Daily Star.
"All you have to do is be in close proximity to groups of people with contactless cards – that's around half of all debit card holders – and you're in."
The devices are being sold through the TOR anonymous network, and include the reader itself, cabling and battery and 20 blank chipped cards to be turned into clones.
They're believed to sell for around £500.
Recent research has shown that contactless cards are as much as twice as vulnerable to fraud as traditional cards. According to fraud prevention company Defender Note, 18% of people using contactless have fallen victim to fraud, compared with only 9% of those with more traditional cards.
However, according to the Contactless Cards Association, customers should feel safe using them.
"Contactless payment cards have the same level of protection as chip and PIN payments, and contain multiple layers of security," it says.
"If a card is lost or stolen, the customer is completely protected against fraud loss. Fraud on contactless cards is negligible, standing at less than 1p in £100."
In the longer term, though, the problem probably won't persist as contactless cards aren't likely to survive. Following the launch of Apple Pay a year ago and Android Pay earlier this year, payment by phone is likely to become far more popular than contactless - and is believed to be much less vulnerable to fraud.