QR Codes Can Hide Malicious Wallet Addresses

QR Codes Can Hide Malicious Wallet Addresses

QR codes make it easy to hide address manipulation

You cannot read what is inside them without scanning first.

QR codes solve a real problem in crypto. Long wallet addresses are hard to type accurately. One wrong character and your crypto goes to the wrong place.

QR codes let you scan instead of type. This seems safer and more convenient.

The problem is that QR codes hide their contents. You scan first, then see the address. This creates a window for attackers to slip in malicious addresses.

Where QR code attacks happen

Malicious QR codes appear in several common places.

Fake payment requests arrive through email or messaging apps. The QR code looks legitimate but contains the attacker's address instead of the intended recipient.

Compromised websites display QR codes for donations or payments. The code appears normal but redirects funds to criminal wallets.

Physical locations can have malicious QR codes. Attackers place stickers over legitimate codes at crypto ATMs or payment terminals.

Screen sharing during video calls creates another attack vector. Someone shows a QR code on screen that appears to be for a legitimate transaction.

Social media posts and forums often contain QR codes for tips or donations. These can be switched out by attackers who edit posts or comments.

Malware targeting QR codes

Some malware specifically targets QR code generation and scanning.

Screen capture malware can detect when QR codes appear on your device. It replaces the displayed code with one containing the attacker's address.

Mobile malware can intercept QR scanning apps. When you scan a legitimate code, the malware shows you a different address than what the code actually contains.

Clipboard monitoring works with QR codes too. After you scan a code and the address appears, malware can swap it for a different address before you confirm the transaction.

A real world scenario

A user wanted to send crypto to a friend.

The friend sent a QR code through a messaging app.

The user scanned the code and saw what looked like the correct address format.

They sent the transaction without double-checking the address with their friend.

The crypto went to an attacker who had compromised the messaging account and replaced the QR code.

How to verify QR codes safely

Always verify QR code contents before sending crypto.

• Scan the code and check the full address against a known good source
• Contact the recipient through a different communication method to confirm the address
• Start with a small test transaction when using QR codes from untrusted sources
• Use QR scanning apps that display the full address clearly before taking action
• Cross-reference addresses with previous successful transactions to the same recipient

How hardware wallets help with QR verification

Hardware wallets provide better QR code verification than software wallets.

The device screen shows you the complete destination address before signing any transaction. This gives you a chance to verify the address matches what you intended to send.

Many hardware wallets can also generate QR codes for receiving addresses. This ensures the QR code matches the address generated by your device rather than being created by potentially compromised software.

Unsure which security features matter most

Some users prioritize transaction speed and convenience.

Others focus on verification steps that prevent address-based attacks.

The right security approach depends on your transaction patterns and risk tolerance.

You can use our wallet selector to find a suitable hardware wallet based on verification features.

Find the right wallet in under a minute

Final thought

QR codes solve the typing problem but create a verification problem. The solution is never skipping the verification step.