Danger: “Verified” Chrome VPN Extension Exposed as Screen-Capturing Spyware
The popular Chrome extension FreeVPN.One, installed by more than 100,000 users and marked with a verification check, has been exposed as spyware. Researchers from Koi Security discovered that it secretly captures screenshots of user activity and transmits them to a remote server along with detailed records of visited websites. Despite its reputation as a “secure” tool, the extension remains available on the official Chrome Web Store, boasting over a thousand reviews and an average rating of 3.8 stars.
Evidence suggests that these covert data-harvesting features were introduced in 2025 updates. Researchers observed a surge in suspicious activity beginning July 17, shortly before the enforcement of the UK’s mandatory age-verification rules, which prompted a wave of users to adopt VPN services. Officially, the extension claimed to offer an “AI Threat Detection Scan” that required uploading screenshots and website addresses for inspection. In practice, however, it began capturing screen images automatically whenever a page was opened—without any user interaction.
The report warns that these screenshots could expose everything from passwords and banking details to private conversations and sensitive documents. The captured images were transmitted to a server unrelated to the VPN provider itself, effectively turning FreeVPN.One into a data exfiltration channel—the exact opposite of a VPN’s intended purpose. Additional information, including geolocation data via IP and device fingerprints, was also collected and transmitted in encoded form. The latest version even introduced AES-256-GCM encryption with RSA key wrapping, obscuring the transfers.
For the extension’s basic VPN functions, permissions to use proxies and store data would have sufficed. Instead, FreeVPN.One requested sweeping privileges, including full access to visited URLs, browser tabs, and script execution. This enabled continuous surveillance of user activity. A review of its update history reveals a steady escalation of permissions: in April 2025, it added the powerful all_URLs permission, followed in June by expanded rights to execute scripts. Each change was marketed as a “security enhancement,” while in reality, it tested the boundaries of what could be hidden under that pretext.
The developers provided no real name or organization in their terms of use or privacy policy, leaving only a generic email address. Attempts by researchers to contact them were met with evasive replies: initially, the author claimed screenshots were used for “background scanning of suspicious domains,” yet evidence showed the logging occurred even on trusted platforms like Google Sheets and Google Photos. When pressed for proof of legitimacy—such as a company profile, GitHub repository, or LinkedIn account—the developer ceased all communication.
This incident underscores a critical lesson: a verification badge and popularity in the Chrome Web Store do not guarantee safety. For users, it is a stark reminder to scrutinize the permissions requested by extensions and question whether such access is truly justified.
