Koi Security experts warn that the behavior of the popular Chrome extension FreeVPN.One has recently changed. It has begun secretly capturing screenshots of users’ activity and transmitting them to a remote server.
“The FreeVPN.One case illustrates how a privacy-protecting product can turn into a trap,” the researchers wrote.
“The extension’s developers are verified, and the extension has even been recommended by the Chrome Web Store. And while Chrome claims to check the security of new extension versions through automatic scanning, manual reviews, and monitoring for malicious code and behavioral changes, in reality, none of these measures have helped. This case demonstrates that, even with such protections in place, malicious extensions can bypass them and highlights serious security gaps in major stores.”
At the time of the researchers’ report, the extension had more than 100,000 installations and was still available in the Chrome Web Store.
Experts say that after the latest update, FreeVPN.One began secretly taking screenshots about a second after each page loaded. The screenshots are then sent to a remote server (initially transmitted in clear text, and then encrypted after a further update).
Researchers say that the extension’s behavior changed in July 2025. Before then, developers had “prepared the groundwork” with minor updates that required additional permissions to access all sites and implement custom scripts.
It was also around this time that the extension introduced some sort of AI-based threat detection.
The Register asked the developers of FreeVPN.one for comment on the situation. They responded that their extension “is fully compliant with Chrome Web Store policies, and any screenshot-taking functionality is described in the privacy policy.” They added, “All collected data is encrypted and processed according to standard browser extension practices. We are committed to transparency and user privacy and encourage you to read our documentation for more details,” the developers said.
In response to Koi Security’s accusations, the creators of FreeVPN.one stated that screenshots are taken as part of the background scanning feature and only “if the domain appears suspicious.” The company also said that screenshots are “not saved or used,” but only “briefly analyzed for potential threats.”
Researchers refuted this assumption by showing that screenshots are constantly being taken, even when visiting trusted domains, including Google’s own.
The product description mentions “advanced AI threat detection” that runs in the background and “constantly monitors the websites you visit and visually scans them if you visit a suspicious page.” However, it doesn’t specify that “visual scanning” means constantly taking screenshots and sending them to a remote server without the user’s knowledge.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
