Sign in Request Demo
9 min read

Emerging Threats in the Cryptocurrency Ecosystem: Malicious QR Codes

Emerging Threats in the Cryptocurrency Ecosystem: Malicious QR Codes
A QR code. Is it legitimate or malicious?

By: Roger A. Hallman

1 Introduction

Quick Response (QR) codes are two-dimensional objects which act as a sort of barcode, and have become ubiquitous due to their convenience [16]. QR codes offer mobile device users an efficient way to perform many actions, including maneuvering to websites which may have long and difficult URLs, place orders and pay bills in restaurants [19]. They are also common in the cryptocurrency ecosystem, as an easy way for users to share their wallet addresses as opposed to long alphanumeric strings.

Originally developed in the 1990s for scanning automobile parts during manufacturing [16], QR codes transform input data into a matrix format consisting of several components. Finder patterns are larger square patterns located in three corners of the QR code, and enabling orientation detection. Smaller alignment patterns are used to correct distortions in perspective. Alternating black and white timing patterns help synchronize the reading process. Format and verification information encode error corrections and mask pattern metadata. Finally, data and error correction codewords encode information and corresponding error correction data.

QR code scanners [19] make use of image processing techniques including edge detection, perspective transformations, and other machine learning-based enhancements to improve scan reliability in low light or distorted conditions. The process of a QR code scan includes several steps. The QR code is captured using a camera or scanner. The scanned image is processed using image transformations such as binarization and geometric correction. Finder and alignment patterns are used to determine the QR code’s size and orientation. Finally, the binary grid is read, error correction is applied, and the data is reconstructed.

While QR codes are relatively secure in terms of data integrity due to error corrections, they do pose a number of security risks [7]. These risks include phishing attacks [13], malware distribution [6], and external tampering risks [2]. Moreover, there are limited options available for QR code verification, which make them an enticing attack vector for criminals. This article explores the criminal use of fraudulent or malicious QR codes, with a focus on their impact on cryptocurrency users. Section 2 will provide the reader with a background on the use of QR codes in the cryptocurrency ecosystem, along with a deeper explanation of the mentioned security risks. Case studies of malicious QR code-based attacks against cryptocurrency users will be given in Section 3. Finally, concluding remarks will be given in Section 4

2 Background

Cryptocurrency users utilize QR codes for numerous reasons [15], especially usability and security. By encoding wallet addresses, payment amounts, and other transaction details in a machine readable format, the use of QR codes simplifies the transfer of funds by minimizing the risk of human error while manually inputting long, complex wallet addresses. Beyond simplifying wallet-to-wallet transfers and merchant payments, QR Codes may also be used for multi-factor authentication [3], as well as for offline storage and backup in paper wallets. The cryptocurrency ecosystem is built upon foundational principles of decentralization and relative anonymity, which makes crypto a prime target for cybercriminals [4].

Malicious,” or fake, QR codes refer to QR codes which have been altered or designed by an adversary to deceive victims into performing unintended actions [10]. Examples of these unintended actions may include unknowingly transferring cryptocurrency to an adversary’s wallet, downloading malware, or visit a phishing website. These malicious QR codes are often printed onto stickers and deceptively placed on top of a legitimate QR code, and in many cases will direct victims to legitimate looking websites.

As a QR code’s primary function is to encode data, such as a URL or payment address, in a scannable format, an attacker can exploit this simplicity by replacing legitimate, authentic data with fraudulent information. For example, the victim could be directed to a phishing URL which mimics a legitimate website [13], such as a cryptocurrency exchange or wallet interface. Once the QR code is scanned, the victim is routed to the fraudulent site, where credentials are harvested or unauthorized transactions are initiated.

As mentioned previously, common malicious QR code attacks involve phishing—commonly referred to as “quishing,” malware distribution, and unauthorized transactions. Quishing [13] occurs when an attacker embeds QR codes in phishing campaigns via email, advertisements, flyers, or other media. Victims are directed to fraudulent websites which are designed to closely mimic the appearance of a legitimate service. In addition to directing victims to phishing websites, malicious QR codes can link to downloadable malware [6], such as trojans, botnets, or spyware which compromise the victim’s device. The attacker can then use the malware downloaded on the victim’s mobile device to further compromise other devices on networks that that device may connect to [14]. Finally, an attacker may encode a fraudulent cryptocurrency wallet address to trick the victim into transferring funds to the wrong recipient. Attackers frequently use this tactic in scams involving fake token swaps [5] and Bitcoin ATMs [12].

Malicious QR codes are a persistent threat for which cybersecurity researchers are developing countermeasures. While these proactive, defensive countermeasures are being developed, users can mitigate against the risks of falling for a malicious QR code by making a reasonable attempt to confirm the veracity of the embedded URL [8]. Is the QR code directing the user to a website that is spelled correctly? URLs can have a great deal of malicious code following the “?” and copying the URL to a link checker can help avoid known malicious URLs. Moreover, some security software products include QR code checkers; however, these services mostly guard against known malicious QR codes and may not catch newly deployed QR codes.

Deep learning and artificial intelligence show great potential in the fight against malicious QR codes. For instance, Pawar, et al. [11] studied the problem of malicious QR code detection as a binary classification problem, and tested several common machine learning algorithms to determine their efficacy at classifying QR codes as legitimate or malicious. Specifically, the authors trained K-Nearest Neighbors (KNN), Random Forest (RF), Support Vector Machine (SVM), and Bidirectional Long Short-Term Memory (Bi-LSTM) algorithms, and developed a prototype scanner for real time QR code analysis. They found that their Bi-LSTM, a deep learning architecture, outperformed other algorithms, achieving nearly 84% accuracy.

Similarly, Wahsheh and Al-Zahrani [17] examined two approaches to malicious QR code detection, conducting experimental evaluation of Fuzzy Logic and Multilayer Perceptron approaches. While both the fuzzy logic and multilayer perceptron approaches exceeded 82% accuracy, the Multilayer Perceptron achieved a marginally higher accuracy rate. The authors then developed a QR code scanner using the Multilayer Perceptron incorporating full URL visibility and validation, as well as with their deep learning-based detection capability.

More recently, Ford and Strohmier Berry [9] developed a Convolutional Neural Network (CNN) classifier-based scanner capable of differentiating between benign and malicious QR codes. Their scanner performed impressively over several training epochs, achieving better than 99% accuracy in classifying malignant and benign QR codes. However, accuracy eventually dropped below 74%, which suggests that the model was overfit to training data and less able to generalize. Overfitting is always a risk with machine learning models, essentially causing the models to recognize training data and leading to erroneous results. Potential liabilities due to erroneous results (e.g., incorrectly classifying a benign QR code as “malignant”) will limit the adoption of machine learning-based defenses against malicious QR codes, thus improved and consistent accuracy will be imperative before they are incorporated into commercially deployable cybersecurity tools.

3 Case Studies

The financial losses caused by cryptocurrency theft via malicious QR codes are staggering. Individual investors have lost significant portions of their portfolios and businesses can face serious damage to their reputations. Savy, technically sophisticated cryptocurrency enthusiasts may be better equipped to detect attempted theft. However, the rapid growth of the cryptocurrency ecosystem means that an influx of newcomers—not as technically literate as crypto veterans—are at risk of losing their funds to these attacks. Many feel betrayed by systems that they believed to be secure.

Cryptocurrency thieves are using malicious QR codes as an element of schemes to steal funds from people who use Bitcoin ATMs [18, 12]. Interestingly, while many investment schemes and similar scams target younger people, nearly all victims of scams involving Bitcoin ATMs are approaching or beyond retirement age. A typical scam will involve a victim being contacted by somebody purporting to be a customer service representative or law enforcement agent working on an account breach, identity theft, or other serious matter. They will provide the victim with a QR code connected to a digital wallet, with instructions to scan the code and deposit cash into a Bitcoin ATM. While the victim believes that they are protecting their money, they are in fact transferring funds to the scammer’s wallet. The United States Federal Trade Commission estimates that losses from these types of scams exceeded $110,000,000 in 2023.

Another class of scams targets over-the-counter swaps, where investors acquire cryptocurrencies via wallet-to-wallet transactions rather than through exchanges, which boast lower than market rate transaction fees [5]. Scammers will often offer victims tokens such at Tron’s TRX in exchange for longer term cooperation, and even make small USDT payments in order to gain the victim’s trust. The scammer then sends the victim a QR code under the guise of a “repayment test.” However, the QR code directs the victim to a website which instructs them to confirm the alleged test transaction; clicking on the “confirm” button allows the scammer to steal the user’s wallet authorization. The blockchain analysis firm Bitrace discovered 27 instances of this scam in a single week in July, 2024 with collective losses of approximately $120,000, all of which utilized the same wallet. The scammers then funneled the stolen cryptocurrency through multiple intermediary wallet addresses before laundering the funds through Huione, a Cambodian crypto exchange.

Fake QR code generators [1] are a long-time scam which purports to generate wallet QR codes and target merchants who are accepting Bitcoin in addition to fiat currency. Users who scan these codes to make a payment will receive a message stating that they can speed up their transaction for a small additional feed of, say 0.001 BTC. This tactic mimics legitimate gas fees on certain blockchains (e.g., Ethereum), but is not applicable to Bitcoin transactions. This scam is perplexing, because the ability to generate legitimate QR codes is built into virtually every cryptocurrency wallet and many exchange points.

4 Conclusions

QR code adoption is a component of broader technology adoptions, including mobile platforms and cryptocurrency. Their increasing usage has introduced both conveniences and vulnerabilities. QR codes streamline payments and improve usability; however, their susceptibility to malicious manipulation has made them an attractive target for cybercriminals. As highlighted in the case studies above, attacks leveraging malicious QR codes have led to significant financial losses, particularly for less experienced users, as well as businesses accepting Bitcoin. The anonymity and decentralization inherent in cryptocurrency transactions further complicate recovery efforts, which leaves victims with few options for recourse.

There are ongoing efforts to combat malicious QR codes, particularly utilizing machine learning classifiers which show promise in adapting as scammers and criminals refine and adapt their tactics. While these tools are not yet ready for broader, commercial deployment, they will eventually buttress existing available tools which are currently bundled into security software suites. In the meantime, vigilance and good cyber habits (e.g., not scanning random QR codes) are probably the most effective defense against falling victim to malicious QR code scams.

References

[1] Bitcoin thieves use malicious qr code readers to steal 45, 000thismonth.Bitdef enderBlog(M arch31, 2020).https : //www.bitdef ender.com/en − us/blog/hotf orsecurity

[2] Ahuja, S. Qr codes and security concerns. International Journal of Computer Science and Information Technologies 5, 3 (2014), 3878–3879.

[3] Ali, G., Dida, M. A., and Elikana Sam, A. A secure and efficient multi-factor authentication algorithm for mobile money applications. Future Internet 13, 12 (2021), 299.

[4] Averin, A., and Zyulyarkina, N. Malicious qr-code threats and vulnerability of blockchain. In 2020 Global Smart Industry Conference (GloSIC) (2020), IEEE, pp. 82–86.

[5] Bitrace. Beware of scanning unknown payment qr codes: Funds stolen instantly. Medium (August 8, 2024). https://medium.com/@bitracetech/beware-of-scanning-unknown-payment-qr-codes-funds-stolen-instantly-788cd

[6] Cargrill, K., Abegaz, T., Parra, L. C., and DaSouza, R. Scan me: Qr codes as emerging malware delivery mechanism. In Proceedings of the Future Technologies Conference (2023), Springer, pp. 611–617.

[7] Cerf, V. G. On qr codes and safety. Communications of the ACM 66, 2 (2023), 7–7.

[8] FBI El Paso Field Office. Fbi tech tuesday: Building a digital defense against qr code scams, September 19, 2023. https://www.fbi.gov/contact-us/field-offices/elpaso/news/fbi-tech-tuesday-building-a-digital-defense-against-qr-code-scam

[9] Ford, J., and Berry, H. S. Feasibility of machine learning-enhanced detection for qr code images in email-based threats. In 2024 Cyber Awareness and Research Symposium (CARS) (2024), IEEE, pp. 1–9.

[10] Kharraz, A., Kirda, E., Robertson, W., Balzarotti, D., and Francillon, A. Optical delusions: A study of malicious qr codes in the wild. In 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (2014), IEEE, pp. 192–203.

[11] Pawar, A., Fatnani, C., Sonavane, R., Waghmare, R., and Saoji, S. Secure qr code scanner to detect malicious url using machine learning. In 2022 2nd Asian Conference on Innovation in Technology (ASIANCON) (2022), IEEE, pp. 1–8.

[12] Schram, L. E. Bitcoin atm fraudsters scam seniors out of $110m: report. New York Post (August 31, 2024). https://nypost.com/2024/08/31/us-news/bitcoin-atm-scammers-target-senior-citizens-as-overall-cases-surge-tenfold/.

[13] Sharevski, F., Devine, A., Pieroni, E., and Jachim, P. Phishing with malicious qr codes. In Proceedings of the 2022 European Symposium on Usable Security (2022), pp. 160–171.

[14] Sivaraman, V., Chan, D., Earl, D., and Boreli, R. Smart-phones attacking smart-homes. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks (2016), pp. 195–200.

[15] Suratkar, S., Shirole, M., and Bhirud, S. Cryptocurrency wallet: A review. In 2020 4th international conference on computer, communication and signal processing (ICCCSP) (2020), IEEE, pp. 1–7.

[16] Tiwari, S. An introduction to qr code technology. In 2016 international conference on information technology (ICIT) (2016), IEEE, pp. 39–44

[17] Wahsheh, H. A., and Al-Zahrani, M. S. Secure real-time computational intelligence system against malicious qr code links. International Journal of Computers Communications & Control 16, 3 (2021).

[18] Wile, R., and Romans, C. Bitcoin atm scams are soaring — and older adults are increasingly the victims. NBC News (August 30, 2024). https://www.nbcnews.com/business/business-news/bitcoin-atm-scams-surge disproportionately-duping-older-adults-rcna

[19] Yan, L.-Y., Tan, G. W.-H., Loh, X.-M., Hew, J.-J., and Ooi, K.-B. Qr code and mobile payment: The disruptive forces in retail. Journal of Retailing and Consumer Services 58 (2021), 102300.