FreeVPN.One, a featured Chrome extension with a verified badge and over 100,000 installs, which was previously considered “safe,” is secretly spying on its users by grabbing their screens and sending data to a remote server, security researchers warn.
The Chrome extension received several updates this year, silently introducing the screen-capturing and data harvesting features without users’ knowledge.
The shocking discovery was shared by the research team at Koi Security. The spyware has over 1,000 ratings, averaging 3.8 stars out of 5, and is still available on the Chrome Web Store at the time of writing.
The spying went live on July 17th, 2025, just before the UK’s strict age verification rules kicked in, sending flocks of users to VPNs as workarounds.
“Most people turn to a VPN for one reason: privacy,” the Koi Security researchers said.
“FreeVPN.One looked like a safe choice. But once it’s in your browser, it’s not working to keep you safe, it’s continuously watching you.”
In practice, the extension performs a series of suspicious actions as users browse. When a page loads, it grabs a screenshot in the background and sends it to a remote server with the URL, tab ID number, and unique user identifier.
“No user action, no UI hint, the screenshots are taken in the background without you ever knowing,” the report reads.
“Screenshots can sweep up passwords, banking details, personal messages, and any sensitive data rendered on your screen. These images are then uploaded to a third-party server separate from the VPN provider, an exfiltration path entirely opposed with what a privacy tool should do.”
How does the spying work?
The extension actually has the “Scan with AI Threat Detection” feature, which works by uploading screenshots and URLs when a user wants to “check URL.” However, the extension doesn’t tell users that it has already been grabbing many more screenshots in the background, even if the users didn’t click that button.
The extension also collects other data, such as IP geolocation and device information, and transmits it encoded in Base64. In the latest version, FreeVPN.One was updated to include AES-256-GCM encryption with RSA key wrapping to hide data in transit.
For the VPN extension’s core functionality to work, it only requires proxy and storage permissions. However, FreeVPN.One requires access to all URLs, tabs, and scripting permission.
“A trio that opens the door to persistent surveillance,” Koi Security’s report explains.
The report details the timeline of how the VPN extension was updated with extensive permissions.
In April 2025, an update opened the door with the all_URLs permission, which enabled it to access all websites that users visit.
In June, it was updated once again with even broader scripting permissions. It was presented as a security upgrade, while in reality, the developer was testing the limits of how far they could go without raising suspicion.
The extension’s terms of service or the privacy policy on the website do not list the developer’s name, only a generic email address. The researchers contacted the developer, however, their explanations did not align with the findings.
“He explained that the automatic screenshot capture is part of a Background Scanning feature, which should only trigger if a domain appears suspicious. In practice, we saw screenshots being captured on trusted services like Google Sheets and Google Photos, domains that cannot be considered suspicious,” the report reads.
The developer claimed that the screenshots were analyzed briefly for potential threats, but when asked to provide any proof of legitimacy, such as a company profile, GitHub, or LinkedIn account, the developer ceased communication.
Your email address will not be published. Required fields are markedmarked