Subscribe to our newsletter
- Koi Security discovered a malware campaign that hijacked more than 500,000 VKontakte accounts through Chrome extensions
- The plugins automatically subscribed victims to the attacker’s VK groups (1.4 million members), manipulated CSRF tokens, injected ads, and stole payment data.
- Ongoing campaign since mid-2025, maintained by the “2vk” threat actor, primarily targeting Russian-speaking users.
More than half a million VKontakte accounts were hijacked in a malware campaign that originated from the Google Chrome Web Store.
The campaign was detected by researchers at Koi Security and included five extensions advertised as an improvement to the platform.
In total, the add-ons were installed more than 500,000 times, and after being detected, at least one was removed from the Chrome Web Store. Koi said they were all maintained by a single threat actor with the GitHub alias “2vk.”
What does the attacker gain?
VKontakte is essentially the “Russian Facebook.” It is a social network very similar to Facebook and has approximately 650 million users.
While searching for Yandex’s advertising code, researchers found five extensions that could seemingly change the theme of the social platform and improve the user experience.
However, in the background, the malware automatically subscribed users to the attacker’s VK groups (which now have 1.4 million members), reset account settings every 30 days to override user preferences, manipulates CSRF tokens to bypass VK security protections, tracks donation status to monitor features and monetize victims, and maintains persistent control through multi-stage code injection.
There are multiple benefits to having 1.4 million people in the same group and having access to their CSRF cookies and payment information. For starters, they increase the perceived legitimacy of the plugins and can display ads and more malware. One of the extensions injected Yandex advertising scripts into every page the user opened, generating direct financial gains for the attackers.
Furthermore, by manipulating CSRF (Cross-Site Request Forgery) cookies, the hacker can perform actions like the victim, without needing a password. They can send messages, access private data, or even change their recovery email.
Finally, the malware includes a system to track “donations” for “premium features.” The plugins are free, but come with a paid “pro” version. That way, victims lose their credit card information and are compromised.
The campaign most likely began in mid-2025 and has continued to this day. It primarily targets Russian-speaking users, although victims were seen in Eastern Europe, Central Asia, and elsewhere.
Through The record
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
