FreeVPN.One, a featured Chrome extension with a verified badge and more than 100,000 installs, was found silently capturing users’ screens and sending the images and metadata to a remote server, security researchers warn. The extension received several quiet updates this year that introduced screen capture and data harvesting features without clear user notice.
Koi Security disclosed the findings after analyzing the extension’s behavior. The extension carries more than 1,000 ratings and averages 3.8 stars. At the time of the report it remained available on the Chrome Web Store.
Featured Extension with Verified Badge and More Than 100,000 Installs
The extension’s store listing and verified badge helped it appear trustworthy to many users. The spying activity began on July 17, 2025, shortly before a surge in VPN adoption tied to new UK age verification rules. Koi Security noted the timing coincided with increased user interest in VPNs.
“Most people turn to a VPN for one reason: privacy,” the Koi Security researchers said. “FreeVPN.One looked like a safe choice. But once it’s in your browser, it’s not working to keep you safe, it’s continuously watching you.”
Background Screenshot Capture, Data Collected, and Transmission Methods
Koi Security reports that when a page loads the extension captures a screenshot in the background and uploads it together with the page URL, a tab ID number, and a unique user identifier. The uploads occur with no visible UI prompt to the user.
“No user action, no UI hint, the screenshots are taken in the background without you ever knowing,” the report reads.
The researchers found the extension also collects IP geolocation and device information. The data is encoded in Base64 for transit. In the most recent builds the developer added AES-256-GCM encryption with RSA key wrapping to obscure the payload while it moves to the third-party server.
Koi Security emphasized the sensitivity of the images. “Screenshots can sweep up passwords, banking details, personal messages, and any sensitive data rendered on your screen. These images are then uploaded to a third-party server separate from the VPN provider, an exfiltration path entirely opposed with what a privacy tool should do,” the report says.
How the Spying Worked and Permission Changes Timeline
The extension exposes a contrast between the permissions needed for simple VPN functions and the permissions FreeVPN.One requested. For proxy functionality a VPN requires proxy and local storage permissions. FreeVPN.One requested far broader scope, including access to all URLs, tabs, and scripting privileges.
Koi Security traced the permission escalation across updates this year:
- April 2025: Added all_urls permission enabling access to any website the user visits
- June 2025: Added expanded scripting permissions presented as a security upgrade
- July 17, 2025: Background screenshot capture behavior observed in the wild
Researchers say the changes allowed the extension to run scripts on loaded pages, capture rendered content, and perform uploads without user interaction.
“Scan With AI Threat Detection” Feature and Hidden Behavior
The extension advertises a “Scan with AI Threat Detection” function that uploads screenshots and URLs when a user clicks a “check URL” control. Koi Security found that the extension did not limit uploads to explicit user actions. Instead the background capture ran independently and at scale, so users who never clicked the scan button still had multiple screenshots taken and transmitted.
Technical Details of Data Encoding and Encryption
The captured payloads were observed encoded in Base64. The most recent versions of the extension then wrapped the data using AES-256-GCM with RSA key wrapping. The layered encoding and encryption obscured the contents in transit and increased the challenge of easy inspection on network logs.
Researchers also noted that screenshots were sent to a server separate from the VPN provider. That separation means data left the privacy context users expect from a VPN extension.
Developer Response and Researcher Verification
The extension’s terms of service and privacy policy do not list a named developer, only a generic contact email. Koi Security attempted to contact the developer and received explanations that did not match the observed behavior.
The developer claimed that automatic screenshot capture is part of a Background Scanning feature that should only trigger when a domain appears suspicious. Koi Security reported that screenshots were captured on trusted services such as Google Sheets and Google Photos, domains that cannot be considered suspicious in normal use.
When researchers requested proof of the feature’s legitimacy, such as a company profile, GitHub repository, or LinkedIn presence, the developer ceased communication, the report says.
Store Presence, Ratings, and Context
Despite the verified badge and thousands of installs, the extension’s rating does not reflect the hidden capture behavior. Koi Security’s disclosure shows how a featured extension can introduce invasive functions through staged permission changes and silent updates. The extension remained available on the Chrome Web Store at the time of the report.
Implications of Persistent Screen Capture by Privacy Tools
Koi Security’s analysis highlights a core contradiction: a tool marketed for privacy performing persistent surveillance. The capture of full-screen images plus URLs and device identifiers creates a large exfiltration surface. The use of robust encryption for data in transit and scripting permissions for page access further obscures detection.
The report documents the sequence of permission additions and feature changes that enabled the behavior and notes the lack of transparent developer identity and clear policy disclosures.
