Is This QRSAFE?™Annual Field Report · 2026
Four months into 2026 we have already logged more than twice the high-confidence catches of all of 2025. The picture is no longer "occasional bad QRs in the wild"; it is a campaign apparatus aimed at gamers, families, and corporate inboxes.
Section I
Through May 2 we have analysed 1,254 URLs scanned by users worldwide. 142 were flagged by three or more independent engines as malicious; 32 by ten or more. That works out to roughly thirty-five high-confidence catches every month so far — and the trend line is still climbing (5 in January, 17 in February, 52 in March, 63 in April).
580 of the 989 vendor verdicts on 2026 catches read "phishing" explicitly. The remaining labels are split between generic "malicious" and outright malware delivery.
Section II
The single most-flagged URL of the year — and the most-flagged URL in the platform's history — was a fake Roblox profile page. Twenty-three of ninety-one independent engines agreed it was malicious; fourteen specifically said phishing. It was scanned in Darlington, England.
That URL did not appear alone. Across March and April we caught the same campaign hopping country-code TLDs: robiox.com.py in Paraguay, roblox.com.ge in Georgia, www.robiox.com.ua in Ukraine, www.roblox.com.ml in Mali. The Steam half of the same operation is on stleamcommuunity.com — a typosquat with two letters doubled — and on steam-protection.info.
The scaling pattern is the giveaway: pre-built profile templates, fabricated numeric user IDs, ccTLD rotation, and enough fresh registrations to outpace each takedown.
Of the 142 high-confidence catches in 2026, 5 of the catches in our spotlights below come from this single Roblox/Steam family. The implication for parents and youth-safety teams is direct: QR codes pointing at "Roblox" or "Steam Community" that arrive in messaging apps, on stickers, on print flyers, or in random comments are extremely likely to be hostile. The brand is doing the work of authentication for the attacker.
Section III
These are the highest-engine entries from the gaming-credential cluster. Every URL is defanged; every "VirusTotal analysis" link points at the live, public verdict.
hxxps[://]www[.]robiox[.]com[.]py/users/282744267386/profileRoblox typosquat "robiox" on Paraguay's ccTLD. Highest-engine catch in the platform's history — 23 of 91 vendors agreed it was malicious, 14 specifically labeled it phishing. The /users/.../profile path mimics a real Roblox profile URL to deceive parents and kids.
hxxps[://]roblox[.]com[.]ge/games/920587237/Adopt-Me?privateServerLinkCode=33418787560837720012869310680513Roblox impersonation on the Georgian ccTLD, with a fake "Adopt Me private server" link — Adopt Me is one of the most-played games on Roblox and a constant lure for kids. The 32-digit fake server code is just decoration.
hxxps[://]www[.]robiox[.]com[.]py/users/237918549135/profileA different victim profile on the same robiox.com.py infrastructure — confirming this isn't a one-off but an industrialised campaign rotating through fabricated profile pages.
hxxps[://]roblox[.]com[.]ge/users/9257346026/profileSame Roblox-on-.com.ge infrastructure, scanned half a world away from the UK catch three days earlier. Demonstrates the international reach of a single phishing campaign distributed via QR.
hxxps[://]www[.]roblox[.]com[.]ml/users/216334258477/profileRoblox impersonation on Mali's ccTLD (.ml). Together with .com.py, .com.ge, and .com.ua we've now observed this campaign hopping across at least four ccTLDs — a deliberate evasion against single-zone takedowns.
Section IV
Outside the gaming campaign, the second cluster we keep seeing is business-email-compromise infrastructure showing up in QR form. These are usually fragment-encoded with the recipient's real email address — a fingerprint of modern Adversary-in-the-Middle phishing kits.
hxxps[://]dashboard[.]brakhibukh[.]click/r/traonlin/?token=9k1hqrisx&hint=claudia[.]dene@tronox[.]comA "dashboard" subdomain on a generated .click base, with an Adversary-in-the-Middle redirector — the &hint= parameter pre-fills the target's real email to make the fake login feel personal. Tronox is a Fortune 1000 chemicals company.
hxxps[://]access-doconline[.]premierpanelsystem[.]com/9b9f5baa334c4b6a9fc6c7ff20ccf04a/?vUUQ5g=rHudIpG&bb=&ff=&ff=&bb=matthew[.]plaas@erlanger[.]orgFake "document access" page targeting an Erlanger Health employee — a regional health system. The duplicated bb= and ff= parameters are signature padding from the Tycoon-family kit.
Section V
Three things to keep an eye on for the rest of 2026:
1. ccTLD whack-a-mole. The Roblox campaign is already on its fourth ccTLD this year. We expect to see at least two more before the registries collectively act.
2. Children-as-targets. "Quishing" coverage in the press has so far focused on parking-meter stickers and corporate phishing. The 2026 catch list says the under-18 demographic is taking real heat too — and they have less instinct to look closely at URLs.
3. Fragment-encoded targeting. Every BEC catch we featured ends with the victim's real email address in the URL fragment. That is a strong signal for AI-assisted phishing kits that personalise the landing page on render. Email security gateways do not see fragments. QR distribution makes it worse.
Note on authorship. The narrative in this report was drafted with AI assistance from real production data — every catch, stat, and VirusTotal link is verbatim from the IsThisQRSafe pipeline. The numbers and case files are not AI generated; only the prose around them is.
Sourcing & Methodology
All catches in this report are real entries from the IsThisQRSafe production database. Each is a URL submitted by a real user who scanned a QR code with the camera-or-upload flow on web or mobile, then ran through VirusTotal's 90+ engine analysis. We define a "catch" as a URL flagged by three or more independent engines as malicious — a threshold that filters single-engine false positives while remaining sensitive enough to catch newly-stood-up phishing infrastructure.
Coarse location, when shown, is captured only when a user voluntarily shares it after seeing a malicious verdict — a privacy-preserving design choice that keeps location off our servers for the ~99% of scans that turn out to be safe. Locations are reverse-geocoded to the nearest city and discarded after the case file is published.