Is Your QR Code Generator Safe?
What Trend Micro found when they tested Google and Bing top-ranked QR generators — and how to protect your printed campaigns.
Last reviewed: 2026
In December 2025, Trend Micro Japan published a security advisory after testing QR generator websites that appeared near the top of Google and Bing results for the Japanese query "QRコード 生成". Their team generated QR codes on 2025-11-13, then re-tested them on 2025-11-21 and found that two tested services no longer reached the intended destination: one inserted an ad-like landing page and the other showed a reactivation/payment page. Trend Micro also connected the broader risk to separate incidents involving malicious redirects and physically pasted QR stickers. This guide summarises those verified findings, walks through the Japanese source cases, shows how to run a one-minute vendor check before printing, and explains why browser-only static encoders reduce this specific counterparty risk.
This is not an abstract risk. Gakushuin University reported on 2023-10-30 that the QR code printed in its "University Guide 2024" brochure was redirecting to an unauthorized destination and asked readers not to use that printed code. Aeon Financial Service issued a separate 2023-12-25 warning after it confirmed cases where QR codes on corporate direct mail led to fraudulent sites asking for payment-card details. Those are not the same as Trend Micro's 8-day generator test, but they show why a printed QR is a long-lived dependency: once the pattern is on paper, any redirect layer outside your control becomes part of your supply chain.
Physical tampering is the other side of the same problem. The University of Electro-Communications reported on 2025-10-24 that suspicious QR-code stickers had been attached to its Keio Line train advertisements, even though the official ads did not include QR codes. The university removed the affected ads, checked all train ads that day, and advised readers to watch for stickers or other signs of tampering before scanning. For business-critical prints such as packaging, signage, school materials, and regulated-industry documents, your operational checklist needs to cover both the decoded URL and the physical surface carrying the code.
The technical reason static codes are safe is worth spelling out. A QR matrix is just a 2D barcode with error-correction. When a reader decodes the dark/light modules, it gets the exact text that was encoded — no callback, no lookup, no resolver. If that text is `https://your-domain.example/page`, the scanner simply opens that URL. There is no intermediate service in the scan path. Contrast this with a dynamic code sold by a third-party vendor: the encoded text is `https://vendor.example/r/abc123`, and the scanner has to hit the vendor's redirector, which performs an HTTP 302 to whatever the vendor's database currently says. Every one of those layers is a place where ownership, operator, DNS, TLS certificate, or legal entity can quietly change over time.
QRMint is designed to remove this entire class of risk for the static use case. The generator runs inside your browser using JavaScript and the Canvas API. The text you type is turned into pixels on your machine; nothing about the payload is ever transmitted to qrmint.app. When you click download, the browser writes a PNG, SVG, PDF, or WEBP from local memory. Even if qrmint.app itself were taken offline tomorrow, a pattern you already downloaded today would continue to resolve to the URL you encoded, forever, with zero dependency on our infrastructure. That is what "browser-only" actually means in practice — and it is the mechanical reason we cannot take your codes hostage even if we wanted to.
| Static QR | Dynamic QR (3rd-party) | |
|---|---|---|
| Third-party redirector in scan path | None | Yes (hostage risk) |
| Impact if service shuts down | Still works | All codes break |
| Expiration | Never | Up to vendor |
| Ownership | You | Vendor |
"Out of the QR code generator services that ranked at the top of search engine results, several were no longer visually identifiable when we re-checked 8 days later on 2025-11-21."Trend Micro Japan: "QR Code Generation Guide for Businesses" (published 2025-12-19)
Step-by-step Guide
Read what Trend Micro actually tested
Trend Micro Japan searched "QRコード 生成" on Google and Bing on 2025-11-13 and tested generator services shown in those results. On 2025-11-21 — 8 days later — two tested services no longer took scanners directly to the intended destination. One inserted an ad-like page before the destination; the other showed a reactivation/payment page. The advisory documents the methodology and separates this test from malicious redirect and physical-tampering incident examples.
Trend Micro Japan — QR Code Generation Guide for Businesses (2025-12-19)Understand the "dynamic hostage" business model
Most "free" services actually hand you a dynamic code, meaning the printed pattern points to their own short-URL redirector, not to your real URL. When their service shuts down, pivots to a paid plan, is sold to a different operator, or has its domain seized, every pattern they ever issued silently redirects somewhere else. You do not control the DNS, the redirect table, the TLS certificate, or the legal entity that owns any of it. That is true even for services that sound "static" in marketing copy — decode the output and check for yourself.
Know the three concrete attack patterns
Three distinct failure modes show up across Trend Micro's advisory and the Japanese incident sources. Each of these is an independent risk vector, so a single-layer defense is not enough:
- ●Redirect dependency: a printed code points to a URL shortener or QR vendor domain, and the destination later changes outside your control.
- ●Trial / paywall expiration: a free service starts inserting an ad page or a reactivation/payment screen before the intended destination.
- ●Physical tampering: attackers paste a QR sticker on top of, or next to, legitimate printed material in the real world.
Run a 1-minute safety audit before you print
Before you commit any pattern to paper, packaging, or signage, run through this short checklist. Each item takes seconds and collectively they catch the overwhelming majority of structurally unsafe vendors:
- ●Decode the output with a raw scanner and verify it encodes your URL directly, not a third-party redirector.
- ●Search the vendor name + "shutdown" and + "expired" in the last 12 months. Reddit threads surface this fast.
- ●Check WHOIS for the vendor domain: creation date, registrant country, expiration date. Anything under 2 years old is higher risk; anything expiring in the next 6 months is a red flag.
- ●Look for a verifiable legal entity: registered company name, street address, phone number, and in Japan an invoice registration number (適格請求書発行事業者登録番号).
- ●Read the terms of service for the exact words "we may disable", "discontinue", or "suspend" — the absence of a written continuity commitment is itself a data point.
Prefer browser-only static encoders
A static encoding embeds your URL directly into the dot pattern. There is no third-party redirector in the scan path, no expiration, no trial, no hostage risk. As long as your own domain works, the code works — forever. QRMint performs the encoding entirely inside your browser using JavaScript and the Canvas API; nothing about your payload is ever transmitted to qrmint.app. Even if qrmint.app itself disappeared tomorrow, every pattern you already downloaded would continue to resolve to the URL you encoded, indefinitely, with zero dependency on our servers.
If you truly need a dynamic code, reduce counterparty risk
Dynamic codes are legitimately useful for A/B testing, analytics, and post-print URL updates. If you need them, pick a provider that satisfies every item below. The goal is to push as much of the infrastructure inside your own blast radius as possible:
- ●A long operating history (multi-year domain registration, verifiable company age).
- ●A transparent legal entity with a published address, phone, and tax / invoice registration number.
- ●A paid (not ad-supported) business model so incentives are aligned with uptime.
- ●An export path: the ability to re-issue all codes under your own domain on short notice.
- ●A written data-retention, incident-response, and shutdown migration policy you can archive locally.
- ●Native redirects on the vendor's own domain, with no chained third-party URL shortener in the scan path.
Try it now
Create QR code →Tips & Best Practices
- ●For anything you print — business cards, menus, posters, packaging — use static QR codes. The one-time cost of picking the right tool is much lower than a reprint.
- ●Before trusting a service, scan their own output with a raw scanner. If the QR decodes to a URL on their domain instead of yours, it is dynamic and hostage-prone.
- ●Check the WHOIS creation date of the generator domain. Anything less than 2 years old is higher risk.
- ●If the service requires sign-up to download, ask yourself why — static QR generation needs zero account.
- ●For enterprise use, require the vendor to provide a legal entity, support phone, and a written data-retention and shutdown policy.
- ●Scan every freshly printed QR in production conditions (dim light, angle, distance) before mass printing. Use our free browser scanner to verify locally.