Fake QR Codes Targeting GTA Transit Riders

TORONTO, ON —

Commuters across the Greater Toronto Area are being urged not to scan a series of unauthorized QR codes that have appeared in and around multiple STS Transit stations this week. The posters, designed to look like official transit communications, promise “real-time train routing” amid ongoing service instability but cybersecurity experts say the codes actually redirect users to a malicious app that harvests personal data.

The flyers began appearing late Tuesday evening at stations in Toronto, Mississauga, Brampton, and Scarborough. Many were placed near ticket machines, station entrances, and shelters along busy commuter corridors. Their design closely mimics the colour scheme and typography of siberX Transit Systems (STS), making them nearly indistinguishable from legitimate service notices.

Security analysts consulted by ODTN say the QR codes lead to a third-party website prompting users to download an app claiming to provide “accurate route paths” during the city’s ongoing transit disruptions.

Once installed, the app immediately requests extensive device permissions — including access to contacts, location, notifications, and in some cases, stored passwords.

“This is deliberate social engineering,” said cybersecurity researcher Dr. Lena Harcourt.

“Attackers are exploiting a moment of public confusion by offering what appears to be a helpful tool. In reality, it’s a data siphon.”

Preliminary analysis shows the app transmits user information to servers registered offshore. Investigators believe the operation is linked to a broader pattern of opportunistic cyber activity that has emerged since the STS outage began.

Several commuters told ODTN they scanned the code assuming it was part of STS’s interim communication strategy.

“It looked real — same colours, same layout,” said one Brampton commuter.

“We’re all desperate for accurate info right now. That’s why people fall for this.”

Others reported seeing younger riders handing out cut flyers outside stations last night, though it remains unclear whether those individuals were aware of the scam.

STS issued a statement early Wednesday condemning the unauthorized signage and urging riders not to scan any QR codes found outside official channels.

“STS does not distribute routing information through QR posters,” the agency’s statement read.

“These materials are fraudulent and are currently under investigation.”

The incident adds another layer of complexity to a transit system already grappling with conflicting service alerts, communication failures, and worsening public mistrust.

“Criminal actors know when a city is vulnerable,” said Harcourt.

“Every gap in information becomes an opportunity for exploitation.”

Authorities are urging anyone who downloaded the suspicious app to delete it immediately, perform a device security scan, and monitor accounts for unusual activity.

What Riders Should Do

• Do not scan any transit-related QR codes found outside official STS channels.

• Confirm updates only through the official STS app, website, or verified social media accounts.

• Report suspicious posters to station staff or authorities.

• Remove any unknown app installed after scanning a QR code.

ODTN will update this story as more details become available.

Watching the perimeter — and what slips past it. — Ayaan Chowdhury