FreeVPN.One Exposed as Spyware in Chrome Web Store

FreeVPN.One, a Chrome extension with over 100,000 installs and a verified badge, marketed itself as a privacy tool. Research now shows it silently captures screenshots of user activity, exfiltrates sensitive information, and disguises surveillance as a security feature.

Reklaim Ruby

1 min read

Background

FreeVPN.One appeared to be a trusted VPN extension, promoted by Google with verified status and featured placement. In reality, the extension secretly monitored users by capturing screenshots of browsing activity and transmitting them to remote servers without consent.


How Surveillance Works

The extension injects scripts into every website visited, waiting 1.1 seconds after load before triggering a hidden screenshot capture. These images are paired with URLs, device data, and unique identifiers, then sent to aitd[.]one servers. A supposed 'AI Threat Detection' feature further masks this surveillance, presenting it as a one-time scan while ongoing monitoring continues in the background.


Data Collected

Screenshots, page URLs, device information, IP-based geolocation data, personal communications, financial details, and private images are collected. This data is uploaded using encrypted channels (AES-256-GCM with RSA wrapping) to obscure detection, making network monitoring ineffective.


Version History and Escalation

  • v3.0.3 (April 2025): Added permission, granting access to every website visited.
  • v3.1.1 (June 2025): Introduced 'AI Threat Detection,' expanded content scripts across all websites, and added scripting permission.
  • v3.1.3 (July 2025): Enabled silent screenshot capture, device fingerprinting, and exfiltration to aitd[.]one.
  • v3.1.4 (July 2025): Implemented AES-256 encryption to conceal surveillance activity.

Privacy and Security Risks

The extension requests excessive permissions (, tabs, scripting) enabling persistent surveillance. Screenshots may expose passwords, banking details, corporate documents, personal photos, and private conversations. Despite claiming not to collect data, the extension operates as spyware.


Developer Claims vs Reality

The developer argued that background scanning only activates for suspicious domains and data is not stored, but independent analysis confirmed constant surveillance on trusted services such as Google Sheets and Photos. The developer failed to provide transparency or corporate legitimacy, with contact details linking to a placeholder Wix page.


Wider Implications

This case demonstrates how malicious extensions bypass Chrome Web Store’s automated and manual review processes. Even verified and featured extensions can compromise sensitive user data. Security experts warn that enterprises must address risks of third-party extensions that operate with elevated privileges.


Protecting Privacy

The exposure of FreeVPN.One underscores the importance of carefully vetting browser extensions and avoiding untrusted third-party software. For stronger personal and enterprise privacy protection, sign up for Reklaim Protect to reduce risks from unauthorized data collection and surveillance online.

Source: https://www.koi.security/blog/spyvpn-the-vpn-that-secretly-captures-your-screen?utm_source=tldrinfosec

Read more

2024 Reklaim® All rights reserved.