Security researchers at Koi Security have discovered troubling behavior from FreeVPN.One, a popular Chrome VPN extension with over 100,000 installations that has begun secretly capturing and transmitting users' screenshots to remote servers.
Threat discovery
The extension, which had maintained legitimate functionality for years, recently shifted its behavior in July 2025 to silently capture screenshots approximately one second after each page load. These screenshots are then transmitted to external servers—initially unencrypted, but later obfuscated with encryption after updates. The malicious behavior was introduced gradually through smaller updates that first requested additional permissions to access all websites and inject custom scripts.
Developer's response
When confronted, FreeVPN.One's developer claimed the extension "is fully compliant with Chrome Web Store policies" and that screenshot functionality is disclosed in their privacy policy. The developer provided various justifications, including that screenshots only trigger "if a domain appears suspicious" as part of "background scanning".
However, Koi researchers refuted this, providing evidence of activation on trusted domains including Google's own sites.
The developer also claimed screenshots are "not being stored or used" but "only analyzed briefly for potential threats"—a distinction researchers found unconvincing.
Chrome web store failures
This incident highlights significant security gaps in Google's Chrome Web Store review process. Despite Google's claims of performing security checks through automated scans, human reviews, and monitoring for malicious behavior changes, FreeVPN.One managed to maintain its verified status and featured placement while conducting these activities.
The extension appears to have exploited a patient approach—operating legitimately for years before introducing malicious functionality, effectively bypassing security measures. While the product overview mentions "advanced AI Threat Detection" with "passive mode" monitoring, it fails to clearly state that "scanning them visually" means sending screenshots to remote servers without notification or opt-out options.
Current status
As of the article's publication, Google had not responded to inquiries about investigating the extension or removing it from the Chrome Web Store. The FreeVPN.One extension remained active and available for download despite the security findings, raising concerns about user protection in browser marketplaces.
This case demonstrates how privacy-branded extensions can become surveillance tools, exploiting user trust while bypassing platform security measures.