- Koi Security uncovered malware campaign hijacking 500,000+ VKontakte accounts via Chrome extensions
- Add-ons auto-subscribed victims to attacker’s VK groups (1.4M members), manipulated CSRF tokens, injected ads, and stole payment data
- Campaign ongoing since mid-2025, maintained by threat actor “2vk,” primarily targeting Russian-speaking users
Over half a million VKontakte accounts were hijacked in a malware campaign which originated on the Google Chrome Web Store.
The campaign was spotted by researchers from Koi Security and included five extensions advertised as an enhancement for the platform.
Cumulatively, the addons were installed more than 500,000 times and after being spotted, at least one was removed from the Chrome Web Store. Koi said they were all maintained by a single threat actor with the GitHub alias “2vk”.
What's in it for the attacker?
VKontakte is essentially “Russian Facebook”. It is a social network very similar to Facebook and has roughly 650 million users.
While searching for Yandex advertising code, the researchers found five extensions that, on the surface, could change the theme of the social platform and enhance the user experience.
However, in the background, the malware automatically subscribed users to the attacker’s VK groups (now counting 1.4 million members), resets account settings every 30 days to override user preferences, manipulates CSRF tokens to bypass VK’s security protections, tracks donation status to gate features and monetize victims, and maintains persistent control through multi-stage code injection.
There are multiple benefits to having 1.4M people in the same group, and having access to their CSRF cookies and payment information. For starters, they increase the perceived legitimacy of the addons, and can be served ads and more malware. One of the extensions was injecting Yandex advertising scripts into every page the user opened, bringing direct financial gain to the attackers.
Also, by manipulating CSRF (Cross-Site Request Forgery) cookies, the hacker can perform actions as the victim, without needing a password. They can send messages, access private data, or even change your recovery email.
Finally, the malware includes a system to track "donations" for "premium features." The addons are free, but come with a paid “pro” version. That way, the victims lose their credit card info, while remaining compromised.
The campaign most likely started in mid-2025 and has been ongoing to this day. It targets primarily Russian-speaking users, although victims were seen in Eastern Europe, Central Asia, and elsewhere.
Via The Record
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.