Chrome VPN extension FreeVPN.One allegedly captured screenshots of users' browsing, researchers say
Koi Security reports the extension silently took images of visited pages and sent them to developer-controlled servers before Google removed it from the Chrome Web Store
Security researchers say a Chrome browser extension marketed as a free VPN silently captured screenshots of users' browsing sessions, including sensitive pages such as bank logins, personal photos and documents, and transmitted those images to servers controlled by the extension's developer.
Koi Security published findings that the extension, FreeVPN.One, had more than 100,000 installs and had carried a "Featured" designation on the Chrome Web Store. The researchers said the extension took screenshots of every website a user visited after it was installed, using browser permissions and scripting capabilities that gave it access to all pages opened in Chrome. The activity was reportedly introduced while the extension presented itself as offering an "AI Threat Detection" or "Background Scanning" feature.
Koi Security said its tests captured screenshots taken on trusted Google services such as Google Photos and Google Sheets, behavior that the extension's developer did not explain satisfactorily. The developer claimed the screenshots were part of an automated scanning feature intended to flag suspicious domains and that images were not stored, only briefly analyzed, but offered no evidence to support that assertion. When asked to provide verification of a legitimate company profile, code repository or professional contact information, the developer reportedly stopped responding; the only public link tied to the extension led to a basic Wix starter page.
Google removed FreeVPN.One from the Chrome Web Store after the report. Attempts to view the extension's listing now return an "This item is not available" message. Koi Security noted that the extension was not listed in other browser stores such as Microsoft Edge, and the removal of the Chrome listing reduces the risk of new installs but does not address any data that may already have been collected.
Researchers described how the extension gained expanded rights over time by adding permissions in stages rather than requesting full access up front, a tactic that can make intrusive behavior harder for users and reviewers to spot. That approach, coupled with an apparent claim of using AI for threat detection, illustrates how labels and feature descriptions can be used to obscure surveillance-oriented functionality.
Privacy and security experts emphasize that browser extensions, particularly free VPNs and similar privacy tools, can be high-risk if their business model is unclear. Many free services need a revenue source; when that source is not transparent subscription fees or audits by independent firms, monetizing user data becomes a plausible alternative. Extensions that request access to "all websites" or other broad permissions present particular cause for scrutiny, researchers said.
Users who installed FreeVPN.One or other suspicious extensions are advised to remove them immediately and to consider that content viewed or typed while the extension was active may have been captured. Running a reputable antivirus or endpoint scanner can help detect related malware. Changing passwords and enabling multifactor authentication on accounts accessed while the extension was installed can limit the damage from potential credential exposure. Using VPN services operated by transparent, audited companies with clear privacy policies reduces reliance on anonymous or free offerings that lack accountability.
Security researchers also point to the broader challenge for platform operators: extensions can remain available and even carry visibility markers for months before problematic behavior is detected, and staged permission requests can allow harmful capabilities to be introduced after initial review. The FreeVPN.One case underscores the need for continuous monitoring and stronger review of extensions that request expansive access or claim to use AI-based features to scan user content.
The removal of FreeVPN.One from the Chrome Web Store addresses immediate distribution but does not erase the potential that images and data taken while the extension was active were transmitted and retained. Users concerned about exposure to data-brokers or malicious actors should consider services that help locate and remove personal information from broker sites and should monitor accounts for unusual activity.
Google and other browser vendors continue to update extension review processes and security tooling in response to such incidents. For individual users, vigilance when installing extensions, careful review of requested permissions, and preference for well-known, auditable security services remain the most practical defenses against extensions that trade on the promise of privacy while performing covert surveillance.