Is This QRSAFE?™Annual Field Report · 2024
IsThisQRSafe came online in September 2024. The first four months produced one catch worth writing about, and that catch was not a current threat — it was a famous historical one. We are leaving this one short on purpose.
Section I
IsThisQRSafe came online in early September 2024. Through December we ran 179 URLs through the analysis pipeline. Six of those had at least one engine flagging them. One crossed the three-engine threshold we use for high-confidence catches.
The right read on this year is "not enough data yet". The user base in 2024 was small enough that this report is more a journal entry than a year-in-review. We're publishing it for completeness — and because the one catch that did happen is the right kind of curio to anchor the report around.
Section II
On September 24, 2024, a user in Boston scanned a QR that resolved to iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com — the WannaCry kill-switch domain, registered in May 2017 by Marcus Hutchins to halt the global ransomware outbreak.
Nine VirusTotal engines flagged the URL as malicious. None labeled it phishing; the labels were "malicious" and "malware," which is exactly what you would expect from AV products keeping the kill-switch on their permanent indicator-of-compromise lists.
The first catch of the platform's history was, fittingly, a ghost from a much bigger one.
Whoever scanned this is almost certainly a security researcher, a CTF participant, or someone testing a malware-flavoured QR code. The kill-switch domain has not served live malware in eight years. It is, however, an extremely good test case for "does this scanner actually catch known-bad URLs?" — and on its very first month, IsThisQRSafe did.
hxxp[://]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com/The WannaCry kill-switch domain. Marcus Hutchins registered this URL in 2017 to halt the global ransomware outbreak. Anyone scanning a QR pointing here is almost certainly working with research samples, not stumbling into live malware.
Section III
You will not find a vendor-label breakdown, a pattern-cluster analysis, or a regional distribution chart in this report. The dataset is a single row. Trying to extract trends from it would be misleading at best.
The platform's real story starts in 2025. If you came here looking for it, head to the 2025 field report next.
Note on authorship. The narrative in this report was drafted with AI assistance from real production data — every catch, stat, and VirusTotal link is verbatim from the IsThisQRSafe pipeline. The numbers and case files are not AI generated; only the prose around them is.
Sourcing & Methodology
All catches in this report are real entries from the IsThisQRSafe production database. Each is a URL submitted by a real user who scanned a QR code with the camera-or-upload flow on web or mobile, then ran through VirusTotal's 90+ engine analysis. We define a "catch" as a URL flagged by three or more independent engines as malicious — a threshold that filters single-engine false positives while remaining sensitive enough to catch newly-stood-up phishing infrastructure.
Coarse location, when shown, is captured only when a user voluntarily shares it after seeing a malicious verdict — a privacy-preserving design choice that keeps location off our servers for the ~99% of scans that turn out to be safe. Locations are reverse-geocoded to the nearest city and discarded after the case file is published.