Field Reports · Public Edition
What attackers do with QR codes, written down.
We run every QR a user submits through VirusTotal and a small fleet of complementary checks. When three or more independent engines flag a URL, we put the catch on this page. No marketing, no inflation — just what the field looks like, year by year.
2024 — A Single Catch, a Familiar Ghost
Less a year-in-review than a four-month opening note. One catch, and not a current one — the WannaCry kill-switch, scanned in Boston.
2025 — A Quiet Year, in Hindsight
Sixty-four high-confidence catches across every continent except Antarctica. The year corporate BEC kits started showing up in QR codes instead of email.
2026 — The Year QR Phishing Got Industrialised
A four-month-and-counting picture of 2026: 142 high-confidence catches, a coordinated Roblox/Steam credential campaign, and the first QR threat-intel reports going public.
Since Launch — A Twenty-Month Field Report on QR Threats
A retrospective on every malicious QR catch since IsThisQRSafe went live, from the WannaCry kill-switch to industrialised Roblox phishing.
Note on authorship. The narrative in this report was drafted with AI assistance from real production data — every catch, stat, and VirusTotal link is verbatim from the IsThisQRSafe pipeline. The numbers and case files are not AI generated; only the prose around them is.