QR Code Payments: New Attack Vectors and Cashing Out (UPI, Alipay, Pix)

[Good Carder]

From carder to carders. While you're struggling to combat 3DS and BIN filtering, the QR payment landscape has become a Wild West. Billions of people around the world scan square black-and-white patterns every day, often without even looking where the link takes them or who will receive their money. The army is armed with QR code spoofing, PIX session hijacking, and zero-day API vulnerabilities that remain unpatched for years.

By 2026–2027, attacks on QR payments will become widespread. From physical sticker spoofing and phishing to protocol and API vulnerabilities, in this article I'll examine everything that actually works against UPI (India), Alipay/WeChat (China), and Pix (Brazil). How to intercept a payment directly at the checkout, how to exploit CVE-2026-3208 to dump static QR codes, how the 6-second cash-out scheme works via Pix, and how to organize a channel from a fake QR code to the withdrawal of pure crypto.

Part 1. QR Payment Architecture: Static, Dynamic, and Blind Spots​

Understanding how the target system works is the key to bypassing it. Let's look at how the three largest QR payment systems work.

Static QR codes. These are fixed payment labels printed on paper. They contain all the recipient's information: identifier (phone number, CPF, UPI ID), company name, and sometimes the amount. They are common in street markets, parking lots, and small shops. The most vulnerable type: an attacker can print a sticker with their own QR code and stick it over the legitimate one.

Dynamic QR codes. These are generated at the checkout, in the app, or on a separate device for each specific transaction. They are protected by encryption and often include a JWT token with a digital signature. For Brazil, these are static QR codes (copia e cola) and dynamic QR codes with EMVCo encryption, as well as BR Code, built according to the international EMV Merchant Presented QR standard. BR Code often contains a link to a secure endpoint, the payload of which is digitally signed for validation.

Architectural vulnerabilities in the Pix and UPI APIs. QR payment systems aren't magic. Every time you scan a QR code, your application sends REST/HTTP requests to the payment provider's backend. If these APIs are poorly secured, you can manipulate the amount, the recipient, or even cancel the payment entirely after sending. This is an ideal platform for blind interception, where the user thinks they're paying someone else, but in reality, they're controlling your wallet.

Part 2. UPI: QR Scanners, Fake Requests, and the Industrialization of Fraud​

India is the birthplace of UPI (Unified Payments Interface), which processes over 12 billion transactions per month. By 2026, 94% of Indian small businesses are using QR codes to accept payments. However, this popularity has also spawned a wave of fraud.

2.1. Four pillars of UPI attacks on QR codes​

Push vs. Pull (UPI money request). The "collect" money request function has long been a major headache. The fraudster sends a request for a certain amount, the victim scans a fake QR code and automatically confirms the payment. Carders also create fake UPI IDs for businesses, imitating well-known brands.

A sticker placed over a legitimate QR code. This method remains the most effective in India: in 2026, Punjab police arrested a gang that had installed their stickers on hundreds of retail outlets. Most losses from digital fraud in India are still due to social engineering, not technical glitches.

A "support" scheme with a UPI PIN. The fraudster calls the victim, posing as a bank employee, and asks them to "verify" their account by scanning a QR code. The victim scans the code, enters the UPI PIN, and loses money.

Fake payment confirmations. Instead of a real transfer, scammers send a fake screenshot of a successful payment to trick people into buying goods or services.

2.2. Industrialization of UPI Fraud (2026 Data)​

According to Indian authorities, 1.342 million cases of UPI fraud totaling over 10.87 billion rupees were recorded in 2023–2024. In 2024–2025, the number of fraudulent transactions nearly doubled over three years. Credential theft through phishing, social engineering, and QR code spoofing accounted for the bulk of this increase.

Part 3. WeChat Pay and Alipay: Data Leaks, QR Code Spoofing, and AI Phishing​

The duopoly of Alipay (over 1 billion active users) and WeChat Pay (over 800 million) covers virtually the entire Chinese population. But even giants have an Achilles heel.

3.1. Fake QR codes for bike rentals and machines​

The most vulnerable QR codes are those located on unguarded public spaces—bike-sharing stations (Mobike, Hellobike), street vending machines, parking lots, and pay toilets. Fraudsters print out a QR code leading to a phishing website or malicious app and affix it over the original.

3.2. Injecting a malicious payload via DeepLink/JSBridge​

In early 2026, a researcher identified a chain of 17 vulnerabilities in Alipay (CVSS up to 9.3), affecting approximately six Common Vulnerabilities (CVEs). Among them, CVE-2026-6290 (CVSS 8.5) is a cross-site scripting (XSS) vulnerability in the DeepLink handler that leads to the disclosure of GPS coordinates. An attacker can create a malicious link that, when scanned, silently uploads the victim's GPS coordinates to their server using AlipayJSBridge.call()—without the user's knowledge. Alipay refused to patch the vulnerability, stating that it "cannot be practically exploited." In 2026, it was publicly disclosed and is already being used in wild attacks.

3.3. Video payment capture scheme (China)​

This scheme became especially popular in early 2026. The victim (often a small store owner) receives a call from a "client" who wants to pay for a large order remotely via video call. The "client" asks to see a QR code on the phone screen. This exploits a standard setting in the Alipay and WeChat Pay apps: by default, the interface opens to the payment page (pay code), not the receipt page (receive code). The carder requests a switch to the receipt page, intercepts the instantly flashing payment page, and scans the code to pay.

Part 4. Pix: Fast Money, Fast Thefts, and CVE-2026-3208​

Launched by the Central Bank of Brazil in 2020, Pix quickly gained 178 million active users.

4.1 Static vs. Dynamic QR Code​

A static QR code contains the recipient's information, their CPF/CNPJ, and sometimes the amount. When paying with a static QR code, the customer sees the recipient's details in the app and can confirm the payment. In Brazil, both static QR codes (especially on street vendor stickers) and dynamic QR codes generated at the point of sale, which contain a signed payload and are more secure against spoofing, are widely used. By 2026, more than 30% of all Pix transactions will be processed through QR codes within the Person-to-Merchant (P2M) model, and this segment is growing by tens of percent annually.

4.2. QR Sticker Replacement Attack​

As in India and China, carders print their own QR codes and stick them over legitimate ones. The counterfeit stickers are often identical in design to the originals, differing only by one digit in the recipient's name. The user scans the code, sees "Pay to store," and confirms. Pix is instant, and the money is transferred to the fraudster's account before the store even notices the theft. In response, the Central Bank of Brazil required banks to implement multi-factor authentication for all administrative access to Pix systems.

4.3. API Vulnerability: CVE-2026-3208 (CVSS 5.3 - Medium, but widely exploited)​

In May 2026, vulnerability CVE-2026-3208 was disclosed in the "Mercado Pago payments for WooCommerce" plugin (versions ≤ 8.7.11). Due to a lack of access checks on the mp_pix_image endpoint, an unauthorized carder can obtain QR codes for arbitrary orders by simply iterating over their IDs via the API. Each QR code contains PIX keys (CPF/CNPJ), the transaction amount, the company name, and the payer's city.

This vulnerability allows the carder to directly dump static QR codes. For example, a store generates a QR code for order #123, the link to the code is /mp_pix_image?order_id=123. By iterating through IDs from 1 to 1000, the carder collects thousands of QR codes from all orders, including those not yet paid. Then, having ready-made QR codes in hand, he can either intercept a payment from a real buyer (by pointing it at his fake QR code), or use these codes for his own purposes - for example, for payments through P2P exchanges (cross-cash).

Part 5. Attacks on dynamic QR codes and their interception​

Dynamic QR codes, despite encryption, are not absolute security.

5.1. BR Code / EMVCo QR based on JWT​

In Brazil, BR Code is used, built on the EMV Merchant Presented QR standard. It can embed a link to a secure endpoint for receiving dynamic payment data. Instead of containing all the payment information, the code points to a server, which returns the transaction parameters over a secure channel. The problem arises if the server doesn't properly verify the JWT signature or uses a weak secret key. In this case, the carder can:

1. Substitute the payload. Change the amount, recipient, or other transaction parameters on the fly if there is no encryption.
2. Substitute the recipient via API. If the QR code contains a URL or encrypted JWT token, a carder can copy the URL, decrypt it, change the recipient and amount, and provide their modified code to the victim for payment. Untrusted servers will automatically accept it.

5.2. Man in the Middle for QR Sessions​

Some dynamic QR codes use a "pull" mechanism instead of a "push" one: the user scans the code and initiates the payment, and a confirmation form appears in the app. However, if a carder intercepts the traffic (for example, using a fake Wi-Fi hotspot), they can substitute parameters at the confirmation stage: the amount, recipient, and description. As a result, the victim confirms the payment to a "seller" sender, who was substituted by the carder at the time of confirmation.

5.3. Real-World Case: Attack on Dynamic QR Code at Gas Stations​

In Brazil, there have been cases of carders connecting to unsecured Wi-Fi networks at gas stations and intercepting traffic at terminals that generate dynamic QR codes. They replaced the code on the terminal with their own, so that drivers would scan the code, which redirected them to a fake payment page.

Part 6. Cash-out strategy: from a fake QR code to withdrawal to a crypto wallet​

Cashing out via QR payments is a two-step process: capturing funds and converting them into crypto.

The typical process for UPI, WeChat Pay, and Alipay is:

1. Create a drop-UPI ID / WeChat Pay / Alipay account. Obtain an account under a proxy (sometimes SMS verification is sufficient). For PIX, verify with a Brazilian bank.
2. Physical distribution (or API injection) of QR codes. Substitution of QR codes at checkouts or code injection via a vulnerable API (CVE-2026-3208) – collecting ready-made QR codes from servers.
3. Funds capture. When a buyer scans a fake QR code, the money is transferred to the fraudster's drop account.
4. Instant conversion to cryptocurrency. Using dApps and P2P exchanges with automated trading (such as those built into Brazilian and Indian apps), funds are converted to USDT in real time and stored in a non-custodial wallet. Fees for using decentralized exchanges are minimal.
5. Withdraw to a cold wallet or cash. Next, launder the funds through mixers and private coins.

Part 7. Carder's QR Fraud Checklist​

• Determine the QR code type. Static (spoofing via sticker) or dynamic (session or API hijacking).
• Select a platform - UPI (India), Alipay/WeChat Pay (China), Pix (Brazil), or other regions with widespread QR support.
• For a static QR code: print your own QR sticker imitating the design of your target business, place it over the original, and the money will flow to you. Use clear adhesive for invisibility.
• For dynamic QR (PIX): if the site uses a vulnerable plugin, implement a script to iteratively collect order_id according to CVE-2026-3208.
• Set up a cash-out channel. Drop accounts should be ready before you start intercepting payments.
• Payment acceptance: Automate via API to instantly convert incoming euros into cryptocurrency.
• OPSEC:
  • Never work without disguise (in public places).
  • Use disposable SIM cards and temporary bank accounts (for drops).
  • If you work via API, your IP and User-Agent should be hidden behind residential proxies.
  • Store stolen QR code databases in encrypted form and destroy them after use.

Resume from a carder​

QR codes for payments are not just a convenience; they're a new entry point for serious money. In India, 1.34 million UPI fraud cases were recorded between 2024 and 2025. In China, WeChat Pay and Alipay lose billions of dollars annually due to QR code spoofing, and Alipay still hasn't patched its DeepLink vulnerabilities, which threaten to leak personal data. In Brazil, over 30% of all Pix transactions are processed via QR codes, and CVE-2026-3208 makes it possible to dump thousands of static QR codes cheaply and easily.

Interception of financial flows through QR code spoofing is no longer a niche attack, but a mainstream one. Static codes are vulnerable to cheap stickers, while dynamic codes are vulnerable to API exploits and man-in-the-middle attacks. UPI is the realm of social engineering, PIX is the domain of plugin vulnerabilities and instantaneousness, and WeChat Pay and Alipay are the domain of open redirects and JSBridge. The success of this scheme depends on OPSEC: the faster the stolen money is converted into cryptocurrency via P2P exchanges, the less likely the bank will freeze the mule's account.

A quick one-line reminder:
“UPI is ruled by social engineering. Pix is API vulnerabilities. Alipay/WeChat are QR code spoofing and redirects. Static QR is a sticker on top. Dynamic QR is a MITM or JWT spoofing. CVE-2026-3208 is code dumping via API. Instant conversion to crypto is a chain break. 6 seconds and the money is clean. Your goal is to make the victim pay you without even realizing it.”