QR code fraud is rising, so a Johns Hopkins team built a system to sniff out fakes

Johns Hopkins researchers have created an AI-powered weapon against one of the internet’s fastest-growing threats: QR code scams that have skyrocketed by more than 2,400% over the last five years. The team’s AP3X Secure QR Codes Infrastructure can detect and block malicious QR codes—from fake charity phishing emails to bogus traffic fine texts—before users get fooled.

Their results, presented at the 2025 IEEE 15^th Annual Computing and Communication Workshop and Conference, appear on IEEE Xplore.

Lanier Watkins.

“This study exemplifies the effective application of artificial intelligence to cybersecurity challenges, demonstrating the potential to deliver threat detection and response capabilities that significantly exceed those achievable through traditional human analysis alone,” says team member Lanier Watkins, assistant technical director of the Johns Hopkins Information Security Institute and chair of the Whiting School of Engineering’s Engineering for Professionals’ programs in computer science and cybersecurity.

The research, which was led by Luis Rivas, who graduated from the Whiting School of Engineering’s Information Security Institute’s Master of Science in Security Informatics program in 2024, uses AI and trusted third-party tools to detect QR codes that could be dangerous. The team’s system scans for unusual patterns in QR codes, signals when something could be risky, and then uses four machine learning models—programs that are trained to recognize both standard and malicious QR codes—to block them.

“QR codes have become a gateway for seamless interaction, but also a growing attack surface across multiple attack vectors. This work demonstrates how AI-driven detection can proactively identify and neutralize malicious QR threats before users are compromised,” said Rivas.

The team’s next steps will focus on cloud-related attacks, where hackers could use QR codes to gain access to sensitive systems. The AP3X solution was designed to predict and mitigate threats to systems, with the goal for website developers to deploy the solution on their sites to protect consumers. Additionally, AP3X does not require users to install new applications, but rather allows them to scan or upload the codes to receive predictions about the safety of the codes, the researchers say.