Chrome VPN Extension Exposed as Spyware Capturing User Data and Screenshots

 

A popular Chrome VPN extension with more than 100,000 installs and a verified badge has been revealed as a highly sophisticated spyware tool. Security researchers discovered that the extension secretly recorded screenshots and exfiltrated sensitive user data without consent.

The extension, identified as FreeVPN.One, posed as a legitimate privacy tool while embedding hidden surveillance functions that contradicted its stated privacy protections. Despite being promoted on the Google Chrome Web Store with featured placement and a verified status, it was designed with backdoor mechanisms that logged every webpage a user visited.

Operating under the guise of online security, the extension used a deceptive two-stage framework to monitor browsing sessions, stealing sensitive data such as banking credentials, personal chats, corporate documents, and private communications. According to Koi.Security analysts, this transformation began in April 2025, when its developers pushed updates that expanded permissions to enable large-scale data collection.

Researchers highlighted that the verified badge made the threat more dangerous, as users trusted the extension for online privacy, unaware it was functioning as spyware. The campaign is said to affect users worldwide, with stolen screenshots containing financial details, business data, and personal information being funneled to servers controlled by threat actors.

Technical Breakdown and Stealth Mechanisms

The extension’s malicious activity relies on a content script injection system deployed across all HTTP and HTTPS websites. Once a page loads, a delay of 1.1 seconds ensures full rendering before screenshots are taken. The background service worker then executes the chrome.tabs.captureVisibleTab() API to capture screenshots and transmit them to a remote server (aitd[.]one/brange.php) along with page URLs and unique identifiers.

To avoid detection, the spyware employs AES-256-GCM encryption with RSA key wrapping, making it extremely difficult for traditional network defenses to spot the malicious activity. Its permission requirements, including <all_urls>, tabs, and scripting, grant it extensive monitoring capabilities far beyond what is necessary for a normal VPN extension.

Security experts warn that the extension effectively transforms a user’s browser into an intelligence-gathering hub, with full access to personal, financial, and professional data—all without user knowledge or consent.