TOPICS 

    Subscribe to our newsletter

     By signing up, you agree to our Terms Of Use.

    FOLLOW US

    • About Us
    • |
    • Contribute
    • |
    • Contact Us
    • |
    • Sitemap
    封面
    NEWS

    Scan Scam: Criminals Redirect China’s Public QR Codes to Porn

    Government-registered codes whose associated web domains have expired are being rerouted by criminals to scams or pornographic websites, making scanning everything from street lamps to public vehicles a potential risk.
    Jul 09, 2026#crime

    China’s QR codes — a hallmark of daily life in the country — are increasingly being hacked by criminals, redirecting users to pornographic and other illegal websites, according to an investigation published July 7 by state broadcaster CCTV. 

    Beijing’s municipal government introduced public QR codes in the capital in 2016 as part of “smart city management,” touting it as a way to collect feedback to help cities run more efficiently. Streetlights, bus stops, and mailboxes were gradually affixed with QR, or quick-response, codes so citizens could access facility information or submit repair requests by scanning them with their smartphones. The rest of the country soon followed.

    CCTV’s report described an incident in March in which an online user reported scanning a QR code on the windshield of a public park’s shuttle bus in the eastern city of Suzhou, only to be redirected to a pornographic website. Park management told the reporter that the vehicle’s QR code had been hijacked after becoming invalid. 

    Similarly, in February, a Beijing resident shared screenshots revealing that a QR code on a street pole that they had reportedly scanned redirected to porn. CCTV found that the domain, registered through the capital’s official internet content provider (ICP) licensing system — mandatory for Chinese website registration — had expired on Feb. 27. Social media users reported that the code redirected to a pornographic website shortly after that date. 

    When the reporter called the ICP license holder — seemingly a technology company — to investigate, staff hung up, and subsequent calls were ignored. Upon visiting two physical addresses registered to the business, the reporter found an abandoned industrial space and an apparently unrelated office.

    Unable to reach the company, CCTV filed a complaint through China’s 12345 citizen service hotline. Several days later, staff from Beijing’s Chaoyang District Urban Management Committee responded that the issue had been resolved. 

    CCTV also conducted spot tests on municipal QR codes at bus stops, lampposts, and mailboxes, finding that many codes were invalid.

    The report goes on to describe how many social media users across the country had reported QR codes — not only at public facilities but also on children’s educational materials and toy packaging — that redirected to illegal websites.

    Cybersecurity experts told domestic media that QR codes themselves have no built-in security, and the danger lies in the websites they direct to. They pointed out how criminals can easily hijack the web addresses associated with expired QR code domains — typically valid for one to 10 years — thereby turning QR codes into entry points not just for pornography but also for scams and data theft. 

    In China, individuals and businesses must purchase website names from accredited domain registrars or companies authorized by official internet governing bodies to sell and administer website registration. Prices vary based on the domain’s length and catchiness, and typically range from several thousand to over 10,000 yuan ($1,470) for a one-time registration.

    According to industry experts, while managing a city via QR codes may have been a good initiative, public QR code failures reveal security gaps in urban management. Moving forward, they recommend that governments give greater consideration to the issue of criminals hacking QR codes and domain names after they have been discontinued. 

    Editor: Marianne Gunnarsson.

    (Header image: VCG)