Many small businesses in Central and South Texas rely on free software to cut costs. However, sometimes the “free” tool is the most expensive mistake. A recent report revealed that FreeVPN.One, a free Chrome VPN extension, secretly captured screenshots of user activity and sent them to unknown servers. This is more than just shady coding, it’s a red-flag reminder of why “FREE VPN” cybersecurity risks vigilance isn’t optional.
Spyware in Disguise: What Happened?
Security researchers at Koi Security discovered that FreeVPN.One has been secretly recording information. Although it has a “Featured” and “Verified” badge in the Chrome Web Store, it captures screenshots of every single page you visit. This happens without your knowledge or consent. It has over 100,000 installs.
Thank you for reading this post, don't forget to subscribe!
Here’s how it works:
- The extension injected a content script into all HTTP and HTTPS sites.
- About 1.1 seconds after a page loads, it quietly uses the
chrome.tabs.captureVisibleTab()API to grab a snapshot. - Metadata such as URLs, tab IDs, device info, and your location are bundled with the image and sent off to remote servers (e.g.
aitd.one), initially unencrypted, and later wrapped in AES-256-GCM encryption to avoid detection.
The feature advertised as “AI Threat Detection” claims to capture screenshots only when you click it. However, the real magic, which is actually spyware, was already operating in the background on all websites. This includes safe ones like Google Photos or Sheets.
Timeline to Disaster
- April 2025 (v3.0.3): Extension quietly gains wide-reaching permissions like
<all_urls>, but spying hadn’t started yet. - June 2025 (v3.1.1): Adds “AI Threat Detection” branding and scripting permissions.
- July 17, 2025 (v3.1.3): Full-blown surveillance mode activated—screenshots, tracking, and device fingerprinting commence.
- July 25, 2025 (v3.1.4): Encryption added to obfuscate data exfiltration. CyberInsider
Developer’s Excuses—Or Just Bad PR?
The developer’s defense? The screenshot feature is for “Background Scanning” and should only activate on “suspicious” domains. However, Koi’s evidence shows it’s used indiscriminately, on banking sites, company docs, and even personal feeds.
They also say screenshots aren’t stored but merely analyzed briefly. Unfortunately, there’s no way for users or researchers to independently verify this. All communication ceased when Koi pressed for proof of legitimacy. The sole trail is a Wix-based page with zero corporate presence.
What You Should Do Right Now
- If you have FreeVPN.One installed: uninstall it immediately. tomsguide.com+13TechRadar+13CSO Online+13
- Run a trusted antivirus or anti-malware scan.
- Change passwords for any sites you accessed while the extension was active, just to be safe. The Scottish SunThe Register+3TechRadar+3The Scottish Sun+3
- Next time you consider a free VPN, choose one that’s transparent, audited, and doesn’t pretend to protect your privacy while betraying it.
Why This Isn’t Just About One Bad VPN
FreeVPN.One’s “featured” label and apparent legitimacy exposed serious cracks in Chrome Web Store vetting. It’s a cautionary tale that even approved extensions can turn nasty. “The Register“
As Tom’s Guide puts it, not all free VPNs are your friends. Proton VPN Free, for instance, is open-source, audited, and transparent. It throttles after a data cap. tomsguide.com
As the old tech adage goes: “If it’s free, you are the product.” In this case, FreeVPN.One turned your browsing history into their buffet. Let’s do better. Use respected tools. Stay alert. Always keep a side-eye on the apps that promise privacy while prying into your life.
Discover more from SofTouch Systems
Subscribe to get the latest posts sent to your email.