A popular Chrome VPN extension with over 100,000 installations and a verified badge has been exposed as a sophisticated piece of spyware. The extension, called FreeVPN.One, was found to be secretly capturing screenshots of every webpage users visit and sending sensitive data to remote servers. This malicious activity completely contradicts its advertised purpose of providing privacy protection.
The extension achieved a prominent position on the Chrome Web Store, even gaining a verified status and being featured, which helped it build a large user base of people looking to protect their online privacy. However, it was operating with a deceptive, two-stage architecture that silently monitors user activity and captures sensitive information, including banking credentials, personal communications, and private documents.
Security analysts at Koi.Security discovered that the extension’s transformation from a legitimate VPN service to spyware happened through a series of calculated updates starting in April 2025. During these updates, developers added broad permissions that enabled the comprehensive data collection. This transformation is especially concerning given the extension’s widespread adoption among privacy-conscious users and its verified status.
The surveillance campaign affects users globally, with captured screenshots containing sensitive corporate data, financial information, and personal communications being transmitted to threat actors. The extension’s privileged access within users’ browsers allows it to perform a comprehensive intelligence-gathering operation without any user knowledge or consent.
Technically, the extension’s surveillance is implemented through a content script injection system that automatically deploys on all HTTP and HTTPS websites. The malicious code is designed to execute a precisely timed delay mechanism upon page load, giving it the ability to capture a wide range of sensitive data.
Reference:
