Full Report
Researchers said they identified a network of five Chrome extensions, marketed as tools to change themes and enhance the VK user experience, that took control of infected accounts and manipulated settings without users’ consent.
Analysis Summary
# Incident Report: Half-Million VKontakte Accounts Hijacked via Malicious Chrome Extensions
## Executive Summary
Cybersecurity researchers identified a network of five malicious Google Chrome extensions targeting users of the Russian social network VKontakte (VK). Disguised as theme customization and enhancement tools, these extensions infected over 500,000 users, hijacking their accounts to manipulate settings and forcibly subscribe them to attacker-controlled groups. The campaign was orchestrated by a single threat actor leveraging VK’s own infrastructure to maintain persistence and evade detection.
## Incident Details
- **Discovery Date:** February 2026 (Reported by Koi Security)
- **Incident Date:** Mid-2025 – January 2026
- **Affected Organization:** VKontakte (VK) Users
- **Sector:** Social Media / Technology
- **Geography:** Russia, Eastern Europe, Central Asia, and Russian diaspora communities.
## Timeline of Events
### Initial Access
- **Date/Time:** Commenced mid-2025.
- **Vector:** Social Engineering via the Chrome Web Store.
- **Details:** Attackers uploaded five extensions (including "VK Styles") marketed as legitimate tools for changing themes and enhancing user experience on VK.
### Lateral Movement
- **Details:** Traditional network lateral movement was not the focus; rather, the malware moved "laterally" across the social platform by using hijacked accounts to join groups, thereby amplifying the reach and influence of the attacker’s network.
### Data Exfiltration/Impact
- **Details:** Unauthorized control of 500,000+ accounts. The malware manipulated account settings (resetting them every 30 days) and forced subscriptions to specific groups. Financial data was targeted if victims paid for "premium" features within the malicious extension.
### Detection & Response
- **Detection:** Identified by researchers at Koi Security through behavioral analysis and tracing extension updates.
- **Response:** "VK Styles" and associated extensions were flagged and subsequently removed from the Chrome Web Store starting February 6, 2026.
## Attack Methodology
- **Initial Access:** Fake browser extensions (Trojanized tools).
- **Persistence:** Automatic and silent extension updates allowed the attacker ("2vk") to push new code without user interaction.
- **Privilege Escalation:** Exploited browser extension permissions to access authenticated VK sessions.
- **Defense Evasion:** Used VKontakte itself as C2 (Command & Control) infrastructure to blend in with legitimate traffic.
- **Credential Access:** Theft of authenticated session tokens rather than raw passwords.
- **Discovery:** Monitored victim interaction with the VK website.
- **Lateral Movement:** Social amplification through forced group subscriptions.
- **Collection:** Recorded payment details if users attempted to buy "extra features."
- **Exfiltration:** Sending account status and payment logs to the attacker.
- **Impact:** Account hijacking, unauthorized setting changes, and follower count manipulation for attacker-controlled groups.
## Impact Assessment
- **Financial:** Users were defrauded through fake "premium" features; attackers likely monetized the high follower counts of hijacked groups.
- **Data Breach:** Over 500,000 accounts compromised; unauthorized access to session tokens and personal payment information.
- **Operational:** Disruption of VK’s security integrity; repeated resetting of user per-account settings.
- **Reputational:** Massive breach of trust for users of third-party VK customization tools.
## Indicators of Compromise
- **Network indicators:** Traffic to GitHub at `github[.]com/2vk` and specific hidden groups on `vk[.]com`.
- **File indicators:** Chrome Extension ID for "VK Styles" (and four other related IDs).
- **Behavioral indicators:** Automatic subscriptions to unknown VK groups; VK account settings resetting every 30 days.
## Response Actions
- **Containment:** Removal of the malicious extensions from the Chrome Web Store.
- **Eradication:** Automatic uninstallation/disabling of extensions in user browsers by Google.
- **Recovery:** Social media platform (VK) hardening against automated session manipulation.
## Lessons Learned
- **Extension Scrutiny:** Browser extensions possess high-level access to authenticated sessions and are often overlooked in standard security audits.
- **Infrastructure Abuse:** Threat actors are increasingly using the platform they are attacking (VK/GitHub) as C2 infrastructure to hide their footprint.
- **Silent Updates:** The auto-update mechanism in browser extensions remains a primary vector for converting "clean" apps into malware post-installation.
## Recommendations
- **Zero Trust Extensions:** Implement organizational policies to block or whitelist specific Chrome extensions.
- **Session Protection:** Social media platforms should implement stricter checks for automated actions (like group follows) occurring via browser scripts.
- **Audit:** Users should regularly audit "Authorized Apps" and extensions linked to their social media and browser profiles.