The PoisonSeed QR-code MFA hijack is the first large-scale attack that turns a QR-code authentication flow into a full FIDO2 bypass. Researchers noticed the campaign on 17 July 2025 after help-desk tickets showed users losing access even though every employee used hardware security keys. The Hacker News
What Is the PoisonSeed QR-Code MFA Hijack?
PoisonSeed is a crime group best known for emptying cryptocurrency wallets. In July the same infrastructure pivoted toward corporate single-sign-on portals such as Okta and Microsoft 365. Dark Reading reports that the shift marks a move from consumer fraud to enterprise intrusion. Dark Reading
Timeline of the Campaign
Expel’s incident-response log shows the first phishing e-mails arriving on 17 July, with peaks on 18 and 19 July when the group registered more than forty Cloudflare-hosted look-alike domains. The activity subsided briefly after public disclosure on 21 July but resumed two days later with fresh domains that embed the word “secure-login” to evade brand-matching filters. Expel
How the QR-Code Phishing Flow Beats FIDO2 Security
Victims land on a fake portal, enter valid credentials, and unwittingly trigger the cross-device sign-in feature of WebAuthn. The real identity provider displays a one-time QR code. The phishing proxy captures that code, re-renders it, and prompts the user to scan it with their phone. When the phone signs the challenge, the portal ties the user’s passkey to the attacker’s browser session. No physical interaction with the security key ever occurs. Ampcus CyberBleepingComputer
Hybrid-Transport Vulnerability Explained
Hybrid transport exists so a passkey stored on a phone can unlock a session on another device. When Bluetooth proximity checks are disabled—as many organisations do for convenience—the QR code by itself becomes a portable credential that can be relayed anywhere on the internet. That design trade-off is what PoisonSeed exploits; the cryptography of FIDO remains sound. The Hacker News
Impact and Real Incidents
Expel details two confirmed breaches. In one U.S. technology company, administrators spotted the rogue session within ten minutes and revoked it. In a European financial-services firm, the attacker stayed long enough to register their own FIDO key, ensuring persistent access until a routine audit uncovered the anomaly. Expel
CSO Online notes that even where security keys are mandated, auxiliary login paths—QR codes, passwordless recovery links, push approvals—can reopen the door to social-engineering crews. CSO Online
Mitigation Tactics Against QR-Code MFA Attacks
BankInfoSecurity recommends four defences now under review at many enterprises. First, disable cross-device sign-in unless there is a clear business need. Second, where it stays enabled, enforce Bluetooth proximity so the QR handshake cannot be relayed. Third, monitor authentication logs for sudden downgrades to QR flows, unexpected FIDO key registrations, or logins from improbable locations. Fourth, train staff to halt any login that serves an unsolicited QR code after credentials are entered. BankInfoSecurityBleepingComputer
Why QR-Code Phishing (Quishing) Is Rising in 2025
BleepingComputer reports a 27 percent year-over-year rise in “quishing” chatter on underground forums. Attack kits now ship with ready-made QR relays, and marketing teams increasingly publish legitimate QR promos, normalising the scan habit. PoisonSeed simply applied that trend to the most trusted corner of enterprise security—passkeys. BleepingComputer
Key Takeaways for Passwordless Security Teams
The PoisonSeed QR-code authentication attack shows that every convenience feature added to a passwordless platform must be assessed with the same rigour as the primary login path. Strong cryptography cannot offset weak UX decisions. Organisations that rely on FIDO2 keys should close, harden, or at least monitor hybrid flows before attackers turn them into the next entry point.
Suggested image alt text: “Fake Okta login page displaying a relayed QR code that enables the PoisonSeed FIDO2 bypass.”
