QR Codes and Six-Month Cons: When Attackers Play the Long Game

You know that feeling when you’re reviewing the week’s security incidents and realize attackers are getting both more patient and more creative? That’s exactly what hit me looking at this week’s developments. We’ve got everything from sophisticated nation-state operations that took half a year to execute, to scammers pivoting their tactics with QR codes, plus the usual “patch immediately” drama from Fortinet.

Let me walk you through what caught my attention and why these stories matter for how we think about defense.

The $285 Million Lesson in Patience

The Drift hack is honestly fascinating from a threat intelligence perspective. North Korean operators spent six months - starting back in fall 2025 - working their way into this Solana-based exchange before finally striking on April 1st for $285 million.

Six months. Think about that timeline. While we’re often focused on rapid-fire attacks and immediate incident response, DPRK was playing chess, not checkers. This wasn’t some opportunistic smash-and-grab - this was a methodical social engineering campaign that probably involved building relationships, establishing trust, and slowly mapping out the target environment.

What really gets me is how this challenges our detection strategies. Most of our monitoring is tuned for suspicious activity that happens quickly. But when someone spends half a year legitimately building access and relationships? That’s a much harder signal to spot in the noise. We need to be thinking about behavioral baselines that span months, not days.

QR Codes: The New Phishing Vehicle

Meanwhile, scammers are getting creative with their delivery mechanisms. Traffic violation phishing campaigns are now using QR codes in fake “Notice of Default” text messages, asking people to scan codes that lead to sites demanding $6.99 payments.

This evolution makes sense when you think about it. QR codes solve several problems for attackers: they bypass a lot of URL filtering (since the malicious URL isn’t visible in the message), they feel modern and legitimate to users, and they’re harder for people to scrutinize before clicking. You can’t hover over a QR code to see where it goes.

The $6.99 amount is particularly clever - it’s low enough that many people won’t think twice about paying it to make a “traffic violation” go away, but high enough to be profitable at scale. Classic social engineering: exploit people’s desire to quickly resolve a stressful situation.

For our user education programs, this means we need to update our “think before you click” training to include “think before you scan.” QR codes aren’t inherently trustworthy just because they look official.

Fortinet’s Weekend Emergency

Speaking of immediate concerns, Fortinet pushed out an emergency weekend patch for CVE-2026-35616 in FortiClient EMS. This one’s a doozy - it’s a pre-authentication API access bypass that leads to privilege escalation, with a CVSS score of 9.1.

The “pre-authentication” part is what makes this particularly nasty. Attackers don’t need any credentials to start exploiting this - they can go straight to privilege escalation. And since it’s already being exploited in the wild, this isn’t theoretical.

If you’re running FortiClient EMS, you probably already patched this over the weekend (hopefully). But it’s worth noting that these emergency patches from major vendors seem to be happening more frequently. Whether that’s because vulnerabilities are being found faster, or because the bar for “emergency” has changed, I’m not sure. But it definitely means our patch management processes need to account for more weekend work.

What This Means for Our Defenses

Looking at these incidents together, a few patterns emerge. First, we’re seeing attacks across the entire timeline spectrum - from six-month social engineering campaigns to immediate exploitation of fresh vulnerabilities. Our defenses need to work across both timeframes.

Second, attackers continue to adapt their techniques based on what works. QR codes in phishing, months-long relationship building, targeting enterprise management tools - these aren’t random choices. They’re responses to our existing defenses.

The Drift case especially highlights something we don’t talk about enough: the human element of social engineering at scale. Nation-state actors aren’t just throwing exploits at firewalls - they’re investing serious time in understanding and manipulating the people behind those firewalls.

For those of us designing security programs, this reinforces the need for defense in depth that includes both technical controls and human factors. We need monitoring that catches both immediate threats and slow-burn campaigns, user education that covers emerging attack vectors like QR codes, and incident response processes that can handle everything from zero-day exploitation to months-long compromises.

The threat environment keeps evolving, but so do we. The key is making sure our evolution keeps pace with theirs.

Sources

• Traffic violation scams switch to QR codes in new phishing texts
• $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation
• New FortiClient EMS flaw exploited in attacks, emergency patch released
• Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS