Chrome VPN Extension Transforms into Browser Surveillance Software

===================================================================

In a shocking turn of events, the seemingly legitimate Google-featured browser extension, FreeVPN.One, has been exposed as a spyware threat. With over 100,000 installs on the Chrome Web Store, this VPN extension has been covertly spying on users' online activity since an update in April 2025.

The malicious activities of FreeVPN.One were first brought to light by cybersecurity researchers at Koi Security on August 19. According to their findings, the extension automatically captures screenshots of every webpage users visit without their knowledge or consent. These captured images, along with the page URL, tab ID, and a unique user identifier, are uploaded to the attacker-controlled domain .

The extension also exfiltrates device and location data at install and startup, querying geolocation APIs and encoding the details as base64 before sending them to . This data collection and transmission occur long before a user clicks the scan button, making it difficult for users to prevent this intrusion.

When pressed for proof of legitimacy, the FreeVPN.One developer stopped responding to Koi Security. In addition, the company behind the VPN extension remains unidentified in the provided search results.

The developer initially asserted that screenshots are only analyzed briefly and not stored. However, this claim cannot be verified once the data leaves users' devices. Moreover, the extension includes a "Scan with AI Threat Detection" feature, which, according to researchers, is a smokescreen for its malicious activities.

In July 2025, the developer added a new layer of obfuscation, using AES-256 encryption with RSA key wrapping and switching from the domain to a new subdomain, .

FreeVPN.One was launched in 2020 and had a seemingly legitimate Chrome VPN extension status until April 2025, when an update to version 3.0.3 allowed the extension to access every site a user visited. With the update to version 3.1.3 on July 17, FreeVPN.One started silently capturing screenshots of users' online activity.

It is important to note that the explanations for the extension's behaviour provided by the developer failed to align with the researchers' observations. Users are advised to remove the FreeVPN.One extension from their browsers and consider using a more trusted VPN service.

A video published by cybersecurity YouTuber Addie LaMarr on August 8, 2025, analysed several VPN products that have been exposed for their spyware capabilities, including Onavo, acquired by Facebook in 2013, which used its Onavo Protect VPN service to monitor Snapchat and other competing startups. This incident serves as a reminder that not all VPN services can be trusted and users should exercise caution when choosing a VPN provider.