North Korean Hackers Are Using QR Codes to Steal Your Credentials

An email arrives from what looks like a foreign policy think tank. They want your insights on Korean Peninsula developments. There is a questionnaire attached as a QR code for easy mobile access. You scan it on your phone. Within minutes, your cloud accounts are compromised.

The FBI has released an advisory warning that Kimsuky—a North Korean state sponsored hacking group also known as APT43—is conducting spear phishing campaigns using malicious QR codes. The technique is called quishing, and it exploits a critical weakness: the moment you move from your secured computer to your unprotected phone.

How the Attack Works

The phishing emails are carefully crafted to appear legitimate. Recent campaigns have included spoofed messages from foreign advisors requesting Korean Peninsula insights via questionnaire, fake embassy employees claiming to share secure drive access, and conference invitation scams directing victims to credential harvesting pages.

The QR code is the key. On your work computer, you might notice suspicious URLs or have security software that blocks malicious sites. But when you scan a QR code, you typically open it on your personal phone—outside your organization's security monitoring.

The codes lead to attacker controlled infrastructure designed to steal your credentials. The pages often mimic legitimate login screens for email providers, cloud services, or collaboration tools.

Bypassing Multi Factor Authentication

Here is why the FBI considers this a high confidence identity intrusion vector: quishing operations frequently capture session tokens, not just passwords. When you log into a fake page, the attackers can relay your authentication in real time to the legitimate service, capture the session token, and replay it later.

This means multi factor authentication may not save you. Even if you have MFA enabled, the attackers can hijack your authenticated session without triggering additional MFA alerts. They do not need your second factor—they have your already authenticated connection.

The attack originates on your unmanaged mobile device, outside your organization's standard security monitoring. By the time anyone notices something is wrong, the compromise is complete.

Who Kimsuky Targets

The threat actors focus on targets with valuable intelligence: think tanks and academic institutions, U.S. and foreign government entities, and strategic advisory firms. If you work in policy, international relations, defense, or related fields, you are a potential target.

Kimsuky has operated since at least 2012, primarily conducting intelligence collection operations. The group's targeting aligns with North Korean strategic interests, particularly around nuclear policy, sanctions, and diplomatic negotiations.

But the techniques they pioneer often spread. QR code phishing is effective against anyone who trusts that QR codes are safe. As the method proves successful against high value targets, expect it to appear in broader campaigns.

Why QR Codes Are Dangerous

QR codes became ubiquitous during the pandemic. Restaurants replaced menus. Businesses added them to everything. We learned to scan without thinking.

That learned trust is the vulnerability. A suspicious link in an email is obvious. A QR code looks innocuous—just a pattern of squares. You cannot read the URL before you scan. By the time your phone shows you where the code leads, you are already at the destination.

Attackers also exploit the device switch. Moving from computer to phone feels like a minor convenience, but it crosses a security boundary. Your phone probably lacks your organization's endpoint protection, email filtering, and network monitoring. That is exactly why the attackers want you there.

Protecting Yourself

Treat QR codes in emails with extreme suspicion. If someone wants you to access a document or questionnaire, they can send a regular link. The choice to use a QR code should itself raise questions.

When you must scan a QR code, preview the URL before opening it. Most phone cameras show you the destination. Look for domain spoofing—attackers often use domains that closely resemble legitimate ones but with slight misspellings or additional words.

Do not enter credentials on pages you reached via QR code. If you need to log into a service, navigate to it directly through your browser or app. Never follow a QR code to a login page.

Consider using phishing resistant MFA such as FIDO2 security keys. These methods resist the session token theft that makes quishing effective. A hardware key confirms you are on the legitimate site, not a convincing fake.

The Bigger Picture

State sponsored hackers constantly evolve their techniques to bypass security measures. When organizations implemented MFA, attackers developed methods to capture session tokens. When email filtering improved, attackers moved to QR codes that bypass text analysis.

Each new security measure creates a new attack surface. The solution is not abandoning security but understanding that no single control is sufficient. Defense requires layers—and awareness of how attackers think.

QR code phishing works because we trust the familiar. That trust can be weaponized. The FBI's warning is not just about North Korea—it is about recognizing that convenience and security are often in tension, and attackers always exploit the gap.