Researchers at Koi Security warn that the behavior of the popular Chrome extension FreeVPN.One has recently changed. It has begun secretly taking screenshots of users’ activity and sending them to a remote server.
“The FreeVPN.One case illustrates how a privacy-protection product can turn into a trap,” the researchers write. “The extension’s developers have verified status, and the extension was even featured in Chrome Web Store recommendations. And although Chrome says it checks the safety of new extension versions through automated scanning, manual reviews, and monitoring for malicious code and behavioral changes, the point is that none of these measures helped. This case shows that even with such safeguards in place, dangerous extensions can slip through, and it underscores serious security gaps in major stores.”
At the time the researchers’ report was published, the extension had over 100,000 installations and was still available in the Chrome Web Store.
Experts report that after a recent update, FreeVPN.One began secretly taking screenshots — roughly one second after each page loads. The screenshots are then sent to a remote server (at first they were transmitted in plaintext, and after yet another update — in encrypted form).
Researchers claim that the extension’s behavior changed in July 2025. Before that, the developers “paved the way” with smaller updates that requested additional permissions to access all sites and inject custom scripts. Around the same time, the extension also introduced some sort of AI-powered threat detection.
Reporters from The Register asked the FreeVPN.one developers to comment on the situation. They replied that their extension “fully complies with the Chrome Web Store policies, and any functionality related to taking screenshots is disclosed in the privacy policy.”
“All collected data is encrypted and processed in accordance with standard practices for browser extensions. We are committed to transparency and user privacy and invite you to review our documentation for more details,” the developers said.
In response to Koi Security’s allegations, the creators of FreeVPN.one stated that screenshots are taken as part of the background scanning feature and only if “a domain appears suspicious.” The company also said that the screenshots “are not saved or used,” and are only “briefly analyzed for potential threats.”
Researchers disproved this by demonstrating that screenshots are taken continuously, including when visiting trusted domains, including Google’s own domains.
At the same time, the product description does indeed mention “advanced AI threat detection” that runs in the background and “constantly monitors the sites you view and scans them visually if you visit a suspicious page.” However, it does not clarify that “visual scanning” means continuously taking screenshots and sending them to a remote server without the user’s knowledge.
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →