Chrome VPN Extension Uncloaks as Browser Surveillance Software
In the realm of cybersecurity, a seemingly legitimate Chrome VPN extension named FreeVPN.One has been exposed as a privacy threat since April 2025. Launched in 2020, the extension boasted over 100,000 installs on the Chrome Web Store, even featuring prominently by Google.
However, researchers from Koi Security detected the malicious behaviour of FreeVPN.One in August 2025. Upon being pressed for proof of legitimacy, the developer stopped responding.
The extension, marketed with a "Scan with AI Threat Detection" feature, is actually a smokescreen. In reality, it covertly captures screenshots of every webpage visited without user knowledge or consent. This two-stage process begins with the extension gaining permission to access every site a user visits upon the update to version 3.0.3 in April 2025.
The captured images, along with other data, are uploaded to the attacker-controlled domain aitd[.]one/brange.php. The automatic screenshot capture occurs on every page load, long before a user clicks the scan button.
Moreover, FreeVPN.One exfiltrates device and location data at install and startup, querying geolocation APIs and encoding the details as base64 before sending them to aitd[.]one/bainit.php.
In July 2025, the developer added a new layer of obfuscation, including AES-256 encryption with RSA key wrapping and switching from the aitd.one domain to a new subdomain, scan.aitd.one.
The company behind the development of FreeVPN.One has not been explicitly named in the available sources. However, security researchers from Koi Security revealed that the extension, despite its popularity and positive reviews, secretly took screenshots of users' browsing activity and sent them to the developer without consent.
It was asserted that screenshots are only analyzed briefly and not stored, but this cannot be verified once the data leaves users' devices. Sensitive and personal information is collected and exfiltrated by FreeVPN.One, posing a significant concern for its users' privacy.
The website mentioned on the FreeVPN.One application's information on the Chrome Web Store was not accessible at the time of writing. The developer's explanations for the extension's behaviour failed to align with the researchers' observations, further fuelling suspicions about the extension's true intentions.
Meanwhile, the low-cost Initial Access Broker market is being exploited by cybercriminals, and FreeVPN.One appears to be one such example. The Onavo VPN product, analysed by cybersecurity YouTuber Addie LaMarr, was exposed for its spyware capabilities, having reportedly monitored Snapchat and other competing startups.
As users continue to rely on VPN services for privacy and security, it is crucial to be vigilant and choose trusted providers. The case of FreeVPN.One serves as a stark reminder of the need for transparency and accountability in the digital world.
