Subscribe to our newsletter
- Koi Security discovered a malware campaign hacking more than 500,000 VKontakte accounts via Chrome extensions
- Add-ons automatically subscribed victims to the attacker’s VK groups (1.4 million members), manipulated CSRF tokens, injected advertisements, and stole payment data.
- Ongoing campaign since mid-2025, maintained by the malicious actor “2vk”, primarily targeting Russian-speaking users.
More than half a million VKontakte accounts were hacked during a malware campaign launched on the Google Chrome Web Store.
The campaign was spotted by researchers at Koi Security and included five extensions advertised as an improvement to the platform.
In total, the add-ons were installed over 500,000 times and after being spotted, at least one was removed from the Chrome Web Store. Koi said they were all maintained by a single threat actor with the GitHub alias “2vk.”
What is in it for the attacker?
VKontakte is essentially “Russian Facebook”. It is a social network very similar to Facebook and has around 650 million users.
Searching Yandex’s advertising code, researchers found five extensions that, at first glance, could change the theme of the social platform and improve the user experience.
However, behind the scenes, the malware automatically enrolled users in the attacker’s VK groups (which now have 1.4 million members), resets account settings every 30 days to override user preferences, manipulates CSRF tokens to bypass VK’s security protections, tracks donation status to control functionality and monetize victims, and maintains persistent control through multi-step code injection.
There are many benefits to having 1.4 million people in the same group and having access to their CSRF cookies and payment information. For starters, they increase the perceived legitimacy of add-ons and may receive ads and more malware. One of the extensions injected Yandex advertising scripts into each page opened by the user, thereby bringing direct financial gain to the attackers.
Additionally, by manipulating CSRF (Cross-Site Request Forgery) cookies, the hacker can perform actions as a victim, without the need for a password. They can send messages, access private data or even change your recovery email address.
Finally, the malware includes a system to track “donations” for “premium features”. Add-ons are free, but come with a paid “pro” version. This way, victims lose their credit card information, while remaining compromised.
The campaign likely began in mid-2025 and continues today. It primarily targets Russian-speaking users, although victims have been observed in Eastern Europe, Central Asia and elsewhere.
Via The file
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
