Is This QRSAFE?™Retrospective · September 2024 — May 2026
Twenty months. Two thousand two hundred fifty-six VirusTotal-checked URLs. Two hundred seven of them flagged by three or more independent engines. This is what we have learned about how attackers are using QR codes.
Section I
Across twenty months of operation we have run 2,256 QR-borne URLs through VirusTotal's 90-engine analysis fleet. 207 of those — just under 10% — were flagged as malicious by three or more independent engines. 50 were flagged by ten or more, the kind of consensus that leaves no room for "false positive" arguments.
Looking at vendor labels rather than counts is more honest about what we are actually catching. Of the 1,443 vendor verdicts attached to high-confidence sightings, 848 specifically identify the URL as phishing. That is the dominant tactic by a wide margin. Generic "malicious" verdicts come second; explicit malware delivery is rare.
QR-mediated quishing is, overwhelmingly, an old-fashioned credential-theft problem wearing new packaging.
That matters because it tells defenders where to spend energy. The threat is not novel exploitation; it is the same domain spoofing, fragment-encoded targeting, and Adversary-in-the-Middle kits that have lived on email for years — now riding into environments (cafe tables, parking meters, charity flyers, a teen's phone) where there are no MX-record protections, no corporate proxy, and no instinct to mistrust the link.
Section II
The volume curve is not linear. The first four months produced one sighting worth writing about. All of 2025 produced 64. The first four months of 2026 alone produced 142.
Some of the 2026 inflection may simply reflect growing awareness of quishing as a category — more people reaching for a scanner before they scan an unfamiliar QR. The shape of what we're catching also changed: 2026 is the first year a single coordinated campaign dominates the sightings list. We have caught the same Roblox/Steam credential-phishing operation hopping across at least four country-code TLDs (.com.py, .com.ge, .com.ua, .com.ml), registering fresh subdomains as the old ones get de-listed, targeting kids and gamers worldwide.
That does not match the older shape of business-email-compromise we used to see in 2025 — those were one-off domains with one-off victims, fragment-encoded for a single target. The 2026 gaming campaign is industrial: pre-built profile templates, fabricated user IDs, ccTLD evasion, and enough infrastructure to keep pushing replacements after each takedown.
Section III
Of two hundred and seven sightings, these four cover most of what we have learned about QR threats. Each is verbatim from production with a live link to the VirusTotal analysis.
hxxps[://]www[.]robiox[.]com[.]py/users/282744267386/profileRoblox typosquat "robiox" on Paraguay's ccTLD. Highest-engine sighting in the platform's history — 23 of 91 vendors agreed it was malicious, 14 specifically labeled it phishing. The /users/.../profile path mimics a real Roblox profile URL to deceive parents and kids.
hxxps[://]stleamcommuunity[.]com/gift/33435345Steam Community typosquat with both letters doubled — "stLeam" and "commuUnity." The /gift/<numeric-id> path mimics Steam's real gift-redemption flow. This is the credential side of the same campaign that targets Roblox.
hxxps[://]smartconcil[.]sbs#cmVkYWN0ZWRAZXhhbXBsZS5pbnZhbGlkTargeted phishing with the victim's email Base64-encoded in the URL fragment — a fingerprint of the modern BEC kit. The .sbs TLD is consistently among the most-abused in registry takedown reports.
hxxp[://]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com/The WannaCry kill-switch domain. Marcus Hutchins registered this URL in 2017 to halt the global ransomware outbreak. Anyone scanning a QR pointing here is almost certainly working with research samples, not stumbling into live malware.
Section IV
The location of a sighting is one of the more interesting datapoints we have. Users only share their coordinates after seeing a malicious verdict — a privacy-by-design decision that means we do not collect location at all for the ~90% of scans that turn out to be safe. Even with that filter, 200 of the 207 high-confidence sightings have a coarse location attached, and they fall across 111 distinct one-degree-by-one-degree geographic cells.
A note on what these dots actually mean. The location records where a victim's phone was when they scanned — not where the QR code itself was physically posted. For the parking-meter sticker swaps and restaurant-table flyers that the press tends to focus on, the two coincide. For the gaming-credential campaigns that dominate 2026, the two often diverge. Steam and Roblox impersonation reaches victims primarily through digital channels: Discord direct messages ("I accidentally reported you", fake giveaway invites, server "verification" prompts), in-game chat, screenshots forwarded between phones, fake login pages on third-party sites that present a real-looking QR for the mobile app to scan, and posts on TikTok, YouTube, and X. A sighting in Darlington tells us that someone there opened a code; the code itself was likely generated by an attacker elsewhere and pushed into a Discord server, a screenshot, or a fake login page hours earlier.
Section V
If you read one report from this site, read the 2026 dossier — it captures the campaign that is happening right now. If you have time for two, read 2025 next; it shows the shape of the BEC kits that 2026 has scaled up. We have left 2024 intentionally short. The platform had not been launched long enough for that period to matter, and the one sighting in it is more interesting as a historical curio than as a current threat.
We update these reports as new sightings arrive. Numbers in this section are accurate as of 2026-05-02.
Note on authorship. The narrative in this report was drafted with AI assistance from real production data — every sighting, stat, and VirusTotal link is verbatim from the IsThisQRSafe pipeline. The numbers and case files are not AI generated; only the prose around them is.
Sourcing & Methodology
All sightings in this report are real entries from the IsThisQRSafe production database. Each is a URL submitted by a real user who scanned a QR code with the camera-or-upload flow on web or mobile, then ran through VirusTotal's 90+ engine analysis. We define a "sighting" as a URL flagged by three or more independent engines as malicious — a threshold that filters single-engine false positives while remaining sensitive enough to catch newly-stood-up phishing infrastructure.
Coarse location, when shown, is captured only when a user voluntarily shares it after seeing a malicious verdict — a privacy-preserving design choice that keeps location off our servers for the ~99% of scans that turn out to be safe. Locations are reverse-geocoded to the nearest city and discarded after the case file is published.