Is This QRSAFE?™Retrospective · September 2024 — May 2026
Twenty months. Two thousand two hundred fifty-six VirusTotal-checked URLs. Two hundred seven of them flagged by three or more independent engines. This is what we have learned about how attackers are using QR codes.
Section I
Across twenty months of operation we have run 2,256 QR-borne URLs through VirusTotal's 90-engine analysis fleet. 207 of those — just under 10% — were flagged as malicious by three or more independent engines. 50 were flagged by ten or more, the kind of consensus that leaves no room for "false positive" arguments.
Looking at vendor labels rather than counts is more honest about what we are actually catching. Of the 1,443 vendor verdicts attached to high-confidence catches, 848 specifically identify the URL as phishing. That is the dominant tactic by a wide margin. Generic "malicious" verdicts come second; explicit malware delivery is rare.
QR-mediated quishing is, overwhelmingly, an old-fashioned credential-theft problem wearing new packaging.
That matters because it tells defenders where to spend energy. The threat is not novel exploitation; it is the same domain spoofing, fragment-encoded targeting, and Adversary-in-the-Middle kits that have lived on email for years — now riding into environments (cafe tables, parking meters, charity flyers, a child's phone) where there are no MX-record protections, no corporate proxy, and no instinct to mistrust the link.
Section II
The volume curve is not linear. The first four months produced one catch worth writing about. All of 2025 produced 64. The first four months of 2026 alone produced 142.
A reasonable share of the 2026 inflection is us — IsThisQRSafe shipped its mobile app in earnest in late 2025 and started acquiring users worldwide. But the shape of what we're catching changed too: 2026 is the first year a single coordinated campaign dominates the catch list. We have caught the same Roblox/Steam credential-phishing operation hopping across at least four country-code TLDs (.com.py, .com.ge, .com.ua, .com.ml), registering fresh subdomains as the old ones get de-listed, targeting kids and gamers worldwide.
That does not match the older shape of business-email-compromise we used to see in 2025 — those were one-off domains with one-off victims, fragment-encoded for a single target. The 2026 gaming campaign is industrial: pre-built profile templates, fabricated user IDs, ccTLD evasion, and enough infrastructure to keep pushing replacements after each takedown.
Section III
Of two hundred and seven catches, these four cover most of what we have learned about QR threats. Each is verbatim from production with a live link to the VirusTotal analysis.
hxxps[://]www[.]robiox[.]com[.]py/users/282744267386/profileRoblox typosquat "robiox" on Paraguay's ccTLD. Highest-engine catch in the platform's history — 23 of 91 vendors agreed it was malicious, 14 specifically labeled it phishing. The /users/.../profile path mimics a real Roblox profile URL to deceive parents and kids.
hxxps[://]stleamcommuunity[.]com/gift/33435345Steam Community typosquat with both letters doubled — "stLeam" and "commuUnity." The /gift/<numeric-id> path mimics Steam's real gift-redemption flow. This is the credential side of the same campaign that targets Roblox.
hxxps[://]smartconcil[.]sbs#ZmVpbGljaWEuY2hvb0B0YW5jaG9uZ2dyb3VwLmNvbQ==Targeted phishing with the victim's email Base64-encoded in the URL fragment — a fingerprint of the modern BEC kit. The .sbs TLD is consistently among the most-abused in registry takedown reports.
hxxp[://]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com/The WannaCry kill-switch domain. Marcus Hutchins registered this URL in 2017 to halt the global ransomware outbreak. Anyone scanning a QR pointing here is almost certainly working with research samples, not stumbling into live malware.
Section IV
The location of a catch is one of the more interesting datapoints we have. Users only share their coordinates after seeing a malicious verdict — a privacy-by-design decision that means we do not collect location at all for the ~99% of scans that turn out to be safe. Even with that filter, 200 of the 207 high-confidence catches have a coarse location attached, and they fall across 111 distinct one-degree-by-one-degree geographic cells.
In practice that means catches from Boston, Charlotte, Miami, Chicago, the South San Francisco Bay Area, Chattanooga, and Dallas; from Darlington, Walsall, and London; from Frankfurt, Madrid, and northern Germany; from Plovdiv, Varna, and Warsaw; from Kuala Lumpur, Chennai, Delhi, Singapore, Baguio, and Cikarang; from Auckland, Sydney, Melbourne, Santiago, and Johannesburg. QR threats are not a regional issue.
Section V
If you read one report from this site, read the 2026 dossier — it captures the campaign that is happening right now. If you have time for two, read 2025 next; it shows the shape of the BEC kits that 2026 has scaled up. We have left 2024 intentionally short. The platform had not been launched long enough for that period to matter, and the one catch in it is more interesting as a historical curio than as a current threat.
We update these reports as new catches arrive. Numbers in this section are accurate as of 2026-05-02.
Note on authorship. The narrative in this report was drafted with AI assistance from real production data — every catch, stat, and VirusTotal link is verbatim from the IsThisQRSafe pipeline. The numbers and case files are not AI generated; only the prose around them is.
Sourcing & Methodology
All catches in this report are real entries from the IsThisQRSafe production database. Each is a URL submitted by a real user who scanned a QR code with the camera-or-upload flow on web or mobile, then ran through VirusTotal's 90+ engine analysis. We define a "catch" as a URL flagged by three or more independent engines as malicious — a threshold that filters single-engine false positives while remaining sensitive enough to catch newly-stood-up phishing infrastructure.
Coarse location, when shown, is captured only when a user voluntarily shares it after seeing a malicious verdict — a privacy-preserving design choice that keeps location off our servers for the ~99% of scans that turn out to be safe. Locations are reverse-geocoded to the nearest city and discarded after the case file is published.