An analysis of Bitcoin QR code generators reveals the precarious state of basic security in the cryptocurrency sphere.
A report from ZenGo shows four out of the top five QR code generators listed on Google’s front page are controlled by scammers. When a user tries to create a QR code for their Bitcoin address, the malicious websites generate a QR code for the scammer’s own wallet.
At least $20,000 can be linked to the malicious addresses – likely a fraction of the total amount stolen over the years.
Rather than type out their 34-character address for every transaction, a cryptocurrency user has the option of generating a QR code. Essentially acting as a personal barcode, the QR code links back to the user’s wallet address. When a vendor needs to receive a transaction, all the buyer has to do is scan it with their smartphone.
The QR code has become staple of the cryptocurrency space in recent times. They are used by vendors, content creators, and tippers on a constant basis – all over the internet.
That makes ZenGo’s findings all the more troubling. When “Bitcoin QR Generator” is typed into Google, four out of the top five results turn out to be scams.
The method used by the scammers is very simple. They just replace the user’s wallet address with their own. Furthermore, when a user copies an address to their clipboard in order to paste it, the websites silently replace the address with that of the scammer’s.
The malicious websites also prove very adaptive – producing fake addresses for any of Bitcoin’s multiple address formats, making the fakes even harder to detect. An analysis of the code underlying the web pages reveals some scammers don’t even use their own QR generators. Instead, they import the generator used on the popular Blockchain.com website.
The following websites and addresses have been identified as fraudulent, and have been reported to relevant authorities.
One address collected 0.58 Bitcoin in just two months – equivalent to around $5.5k. In total, over $20,000 was found spread across the four addresses listed.
ZenGo recommends that people don’t use Google when they want to generate Bitcoin QR codes, but instead use a trusted website like a blockchain explorer (most offer them for free). Users should also scan the QR code with their phones before using it to make sure it links to their own address.