A Chrome VPN extension, FreeVPN.One, boasting over 100,000 installations and a verified badge on the Chrome Web Store, has been identified as sophisticated spyware. This extension clandestinely captures user screenshots and exfiltrates sensitive data without user consent.
Initially presented as a legitimate privacy tool, FreeVPN.One covertly implemented extensive surveillance capabilities that starkly contradict its advertised privacy assurances. Despite its featured placement and verified status, the extension incorporated backdoor functionalities, capturing screenshots of every webpage visited by users.
Operating under the guise of providing privacy protection, the extension employs a deceptive two-stage architecture that silently monitors user activity across all browsing sessions. This includes capturing sensitive information such as banking credentials, personal communications, and private documents.
Analysts from Koi.Security observed that the extension’s transformation from a legitimate VPN service to spyware occurred through a series of calculated updates beginning in April 2025. These updates introduced broad permissions that enabled comprehensive data collection capabilities.
Security researchers have expressed significant concern over this development, given the extension’s verified status and widespread adoption among privacy-conscious users. The surveillance campaign impacts users globally, with captured screenshots containing sensitive corporate data, financial information, and personal communications being transmitted to remote servers controlled by the threat actors.
The extension’s privileged position within users’ browsers enables unrestricted access to all browsing activity, creating a comprehensive intelligence-gathering operation that operates entirely without user knowledge or consent.
Technical Implementation and Evasion Mechanisms
The extension implements its surveillance capabilities through a sophisticated content script injection system that automatically deploys across all HTTP and HTTPS websites using the broad `matches: [http:///, https:///]` pattern.
Upon page load initialization, the malicious code executes a precisely timed delay mechanism:
“`javascript
setTimeout(() => {
chrome.runtime.sendMessage({action: ‘captureViewport’});
}, 1100);
“`
This code waits exactly 1.1 seconds after page initialization before triggering screenshot capture, ensuring complete page rendering for maximum data quality.
The background service worker receives the `captureViewport` message and executes the actual screenshot capture using Chrome’s privileged `chrome.tabs.captureVisibleTab()` API. Captured images are automatically transmitted to `aitd[.]one/brange.php` alongside page URLs, tab identifiers, and unique user tracking codes.
Recent versions implement AES-256-GCM encryption with RSA key wrapping to obfuscate data transmission, making network-based detection significantly more challenging. This encryption layer masks the continuous screenshot exfiltration while maintaining the extension’s surveillance capabilities, demonstrating the threat actors’ commitment to persistence and detection evasion.
The extension’s permission structure requires `
Broader Implications and Similar Incidents
This incident is not isolated. There have been multiple instances where malicious Chrome extensions have compromised user security:
– Malicious Chrome VPN Extensions Installed 1.5 Million Times Hijack Browsers: A campaign involved fake VPN extensions like netPlus for Chrome and netSave/netWin for Edge, amassing 1.5 million downloads. These extensions hijacked browser activity, disabled competing cash-back extensions, and installed additional malicious extensions. ([cybersecuritynews.com](https://cybersecuritynews.com/malicious-chrome-vpn-extensions/?utm_source=openai))
– 100+ Malicious Chrome Extensions Attacking Users to Exfiltrate Login Credentials & Execute Remote Code: Over 100 malicious Chrome extensions targeted users worldwide, appearing legitimate while secretly connecting to attacker-controlled servers to steal sensitive data and execute arbitrary code. ([cybersecuritynews.com](https://cybersecuritynews.com/100-malicious-chrome-extensions-attacking-users/?utm_source=openai))
– Weaponized Chrome Extension Affects 1.7 Million Users Despite Google’s Verified Badges: Eleven seemingly legitimate browser extensions, all carrying Google’s verified badge, infected over 1.7 million Chrome users. These extensions delivered promised functionalities while implementing sophisticated surveillance and hijacking capabilities. ([cybersecuritynews.com](https://cybersecuritynews.com/weaponized-chrome-extension/?utm_source=openai))
– Beware of Free VPNs that Install Malicious Botnets: The 911 S5 botnet utilized several free VPN services to build a malicious network spanning 19 million unique IP addresses across over 190 countries. Users who installed these free VPN apps unknowingly turned their devices into proxy servers, channeling someone else’s traffic. ([cybersecuritynews.com](https://cybersecuritynews.com/beware-of-free-vpns/?utm_source=openai))
– Hackers Hijacked 16 Chrome Extensions to Inject Malicious Code: A massive phishing campaign compromised at least 35 Google Chrome extensions, collectively used by approximately 2.6 million users, injecting malicious code to steal sensitive information. ([cybersecuritynews.com](https://cybersecuritynews.com/hackers-hijacked-16-chrome-extensions/amp/?utm_source=openai))
– 40+ Malicious Chrome Extensions Mimic Popular Brands to Steal Sensitive Data: Over 40 malicious Chrome browser extensions masqueraded as trusted brands to steal sensitive user data, representing a significant escalation in browser-based attacks. ([cybersecuritynews.com](https://cybersecuritynews.com/malicious-chrome-extensions-mimic-as-popular-chrome-brands/?utm_source=openai))
– Dark Partner Hackers Using Fake AI, VPN & Crypto Sites to Attack macOS & Windows Users: A sophisticated campaign targeted both macOS and Windows users through meticulously crafted fake websites mimicking popular AI tools, VPN services, and cryptocurrency platforms. ([cybersecuritynews.com](https://cybersecuritynews.com/dark-partner-hackers-using-fake-ai-vpn-crypto-sites/?utm_source=openai))
– 35 Google Chrome Extensions Hacked to Inject Malicious Code: A massive phishing campaign compromised at least 35 Google Chrome extensions, injecting malicious code to steal sensitive information from unsuspecting victims. ([cybersecuritynews.com](https://cybersecuritynews.com/35-google-chrome-extensions-hacked/amp/?utm_source=openai))
– New Supply Chain Attack Targeting Chrome Extensions to Inject Malicious Code: A supply chain attack targeted Chrome extensions to inject malicious code, primarily targeting Facebook Business users to harvest API keys, session cookies, access tokens, account information, and ad account details. ([cybersecuritynews.com](https://cybersecuritynews.com/new-supply-chain-attack-targeting-chrome-extensions/?utm_source=openai))
Recommendations for Users
Given the increasing prevalence of malicious Chrome extensions, users are advised to:
1. Regularly Audit Installed Extensions: Periodically review and assess the necessity and legitimacy of installed browser extensions.
2. Scrutinize Permissions: Carefully examine the permissions requested by extensions during installation. Be cautious of extensions requesting broad or unnecessary permissions.
3. Stay Informed: Keep abreast of cybersecurity news to be aware of compromised extensions and emerging threats.
4. Use Trusted Sources: Download extensions only from reputable sources and verify their authenticity through official channels.
5. Implement Security Measures: Utilize comprehensive security solutions that can detect and prevent malicious activities associated with browser extensions.
By adopting these practices, users can enhance their online security and mitigate the risks associated with malicious browser extensions.
