A popular Google-featured browser extension offering a virtual private network (VPN) service recently turned malicious and is now spying on users’ every move online.
Researchers from Koi Security detected that FreeVPN.One, a VPN extension with over 100,000 installs on the Chrome Web Store, a ‘Verified’ status and a 3.8/5 rating from 1110 reviews, has been acting as spyware for the past five months.
Launched in 2020, according to the Chrome Stats website, FreeVPN.One was a seemingly legitimate Chrome VPN extension until an update to version 3.0.3 of the application in April 2025.
With that update, the FreeVPN.One developer added an permission, meaning that the extension could now access every site a user visited.
“At this point, although the permission allowed broader access, the content scripts were still limited to the VPN provider’s domains. No spying yet, but the door was now open,” said Lotan Sery, author of the Koi Security report published on August 19.
Two updates later, FreeVPN.One is at v3.1.3 on July 17. With this latest version, the extension started silently capturing screenshots of users’ online activity and collecting and exfiltrating sensitive and personal information.
Later in July, the developer added a new layer of obfuscation, an AES-256 encryption with RSA key wrapping and switching from the aitd.one domain to a new subdomain, scan.aitd.one. This, the researchers supposed was to “cover its tracks.”
The FreeVPN.One Spyware Capabilities Explained
The FreeVPN.One extension operates covertly by automatically capturing screenshots of every webpage users visit, without their knowledge or consent.
Using a two-stage process, it injects a content script into all HTTP/HTTPS sites via broad manifest permissions. After a deliberate 1.1-second delay (to ensure pages fully load), the script triggers a background service worker to take a silent screenshot via Chrome’s privileged captureVisibleTab() API.
The captured image, along with the page URL, tab ID, and a unique user identifier, is then uploaded to the attacker-controlled domain aitd[.]one/brange.php.
This stealthy surveillance happens continuously, with no visual indicators or user interaction required, allowing the extension to harvest sensitive data without detection.
While the extension includes a legitimate sounding “Scan with AI Threat Detection” feature, introduced in a July 2025 update (v3.1.1) that discloses screenshot uploads to aitd[.]one/analyze.php in its privacy policy, this is a smokescreen.
The real threat lies in the background screenshot capture, which occurs on every page load, long before a user ever clicks the scan button.
Additionally, the extension exfiltrates device and location data at install and startup, querying geolocation APIs and encoding the details as base64 before sending them to aitd[.]one/bainit.php.
The extension’s design, combining overt “security” features with hidden surveillance, masks its true purpose, which is persistent, unauthorized data harvesting under the guise of a trustworthy tool.
Evasive Responses from FreeVPN.One’s Developer
The Koi Security researchers contacted the developer of FreeVPN.One, but their explanations for the extension’s behavior failed to align with the researchers’ observations.
First, they claimed the automatic screenshot capture is part of a ‘background scanning’ feature meant only for suspicious domains. However, the researchers found it actively captured screenshots on trusted services like Google Sheets and Google Photos – “clearly not malicious sites,” they noted.
The developer admitted the feature was enabled by default for all users, with plans to require consent in a future update, meaning screenshots are still being taken and sent to the FreeVPN.One developer’s servers without permission in the meantime.
It was also asserted that screenshots are only analyzed briefly and not stored, but this cannot be verified once the data leaves users’ devices.
Additionally, when pressed for proof of legitimacy, such as a company profile, GitHub, or LinkedIn, the FreeVPN.One developer stopped responding to Koi Security, leaving only a suspicious Wix template page (phoenixsoftsol.com) as evidence.
The website mentioned on the FreeVPN.One application’s information on the Chrome Web Store was not accessible at the time of writing.
This new research, published on International VPN Day, is a reminder that not all VPNs are equal and that many so-called privacy tools can be malicious, while even reputable commercial providers often lack transparency about the data they collect from users.
In a video published on August 8, 2025, the cybersecurity YouTuber Addie LaMarr analyzed several VPN products that have been exposed for their spyware capabilities. This included Onavo, acquired by Facebook in 2013, which reportedly used its Onavo Protect VPN service to monitor Snapchat and other competing startups.
Read now: Cybercriminals Exploit Low-Cost Initial Access Broker Market