Sign up for our newsletter
- Koi Security Revealed Malware Campaign That Hijacked 500,000+ VKontakte Accounts Via Chrome Extensions
- Victims automatically subscribing to attacker’s VK group add-ons (1.4 million members), manipulated CSRF tokens, inserted ads, and stole payment data
- Campaign running since mid-2025, maintained by threat actor “2vk”, primarily targeting Russian-speaking users
Over half a million VKontakte accounts were hijacked in a malware campaign originating from the Google Chrome Web Store.
The campaign was discovered by researchers from Koi Security and included five extensions advertised as an improvement to the platform.
Cumulatively, the add-ons were installed more than 500,000 times, and after being discovered, at least one was removed from the Chrome Web Store. Koi said they were all maintained by a single threat actor with the GitHub alias “2vk.”
What is there for the attacker?
VKontakte is basically “Russian Facebook”. It is a social network that is very similar to Facebook and has around 650 million users.
While searching for Yandex advertising code, the researchers found five extensions that, on the surface, could change the theme of the social platform and improve the user experience.
But in the background, the malware automatically subscribed users to the attacker’s VK groups (now numbering 1.4 million members), resets account settings every 30 days to override user preferences, manipulates CSRF tokens to bypass VK’s security protections, tracks donation status to gate functions and monetizes victims, and maintains persistent multi-function code control.
There are several benefits to having 1.4 million people in the same group and having access to their CSRF cookies and payment information. For starters, they increase the perceived legitimacy of the add-ons and can display ads and more malware. One of the extensions was to inject Yandex advertising scripts on every page the user opened, giving the attackers direct financial gain.
By manipulating CSRF cookies (Cross-Site Request Forgery), the hacker can also perform actions as a victim, without needing a password. They can send messages, access private data or even change your recovery email.
Finally, the malware includes a system to track “donations” for “premium features.” The add-ons are free, but come with a paid “pro” version. That way, victims lose their credit card information while remaining compromised.
The campaign most likely started in mid-2025 and has been ongoing to this day. It primarily targets Russian-speaking users, although victims were seen in Eastern Europe, Central Asia and elsewhere.
Via The record
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
