Extensions in Google Chrome can be quite useful to extend the functionality of the browser, or even just have plain fun. VPN extensions have always been popular in the Chrome Web Store, but have seen another surge in usage following the announcement of the UK"s age verification laws. While VPNs are generally meant to preserve anonymity while working around geographical boundaries, it can be extremely problematic if such a tool is actually used to spy on you. This is exactly what is happening in a VPN extension for Chrome with hundreds of thousands of users.
A blog published by Koi Security explains how the FreeVPN.One extension in Chrome is breaching the trust of its customers. Perhaps the most problematic way it is doing so is that it is secretly capturing screenshots as users move from one web page to the next. These screenshots are taken through a sophisticated mechanism that does not give the user any hints about what is happening.
Screen grabs are captured exactly 11 seconds after a page loads, which ensures that content has been fully rendered with potentially sensitive information before it is practically stolen. Although the extension does disclose that will take a screenshot of your page and upload it to a server for a scan if you utilize the AI Threat Detection feature, it periodically takes snapshots even if you don"t use this particular capability.
Koi Security additionally claims that the extension requires excessive permissions, and it queries location and device details on startup and sends them to a server too. The security team says that while FreeVPN.One initially started out as a harmless extension, the developer began integration of malicious code in April 2025. Most recently, version 3.1.4 released on July 25, even deploys AES-256 encryption to stolen data in transit to make it difficult to identify what"s being transmitted.
When Koi Security reached out to the developer of FreeVPN.One, he said that the automatic screenshots are taken for suspicious domains only as a part of the Background Scanning feature. However, it was noticed that snapshots are captured even for mainstream domains like Google Photos and Google Sheets. The developer also emphasized that the feature is enabled by default for now, but will be disabled in a future update. He additionally claimed that screenshots are not retained or sold for monetary benefits, but when asked to provide proof, he stopped responding to emails.
This is a particularly worrying incident especially since FreeVPN.One is featured by Google on the web store and even touts a "verified" badge. It seemingly has over a hundred thousand users, which calls into question Google"s evaluation practices for extension submissions. It"s a major breach of trust that went unnoticed for months by Google, and emphasizes the need for downloading software only from trusted vendors.