When a 'free' VPN costs you dearly: Security experts warn popular Chrome extension spies on you

A security firm has warned about a free VPN extension for Google's Chrome browser which is spying on those who've been unfortunate enough to install the add-on.

2

This is FreeVPN.One, and the worrying thing is that as Koi Security - which offers a platform for managing self-provisioned software for enterprises - points out in a blog post (flagged by Neowin), this extension not only has over 100K users, alongside 1,100 mostly positive reviews, but it's featured by Google (for "following recommended practices").

I'm betting, though, that a recommended practice isn't secretly taking screenshots of every website the Chrome user visits, and then sending those grabs back to the app developer.

Koi observes that:

"FreeVPN.One looked like a safe choice. But once it's in your browser, it's not working to keep you safe, it's continuously watching you."

The extension even waits for 11 seconds, seemingly to ensure the web page is fully rendered, before taking the screenshot - a pause that allows for all potentially sensitive details to have come up on-screen.

Threat Detection excuse

Obviously, this all looks incredibly suspicious - well, beyond that - but in fact the developer did provide reasons for the screenshotting activity when Koi contacted him.

The explanation being the introduction of an 'AI Threat Detection' system that led to a 'Background Scanning' feature whereby if a domain seemed suspicious, it'd be screenshotted (apparently for analysis and determining if it really was a threat). However, Koi found that: "In practice, we saw screenshots being captured on trusted services like Google Sheets and Google Photos, domains that cannot be considered suspicious."

When the security firm questioned the developer about what happened to the screen grabs, he claimed they were not stored or used by him, just analyzed briefly - but of course that can't be verified.

Then Koi asked for "evidence of legitimacy" like a company profile, GitHub or LinkedIn page, but at this point the developer stopped responding to emails. So, all in all, it looks like FreeVPN.One is indeed a spyware tool, and the person behind it is likely heading into hiding.

It wasn't always that way, mind you. Koi has a timeline of the changes that turned what was originally a simple VPN extension - with no nastiness - into a surveillance package, with tweaks to the extension made slowly over the course of June and July 2025.

A Chrome extension being flipped from a good to bad piece of software in this way is a common 'long con' tactic for scammers. They might keep the add-on available in the Chrome store for a long time as a genuinely useful extension, building up a reputation and a ton of positive reviews - before they flick the switch and turn it into something nefarious.

The irony here is, of course, that a VPN is supposed to protect your privacy and anonymity, whereas in the case of this extension, it was doing the exact opposite. And, despite the widespread reports now circulating about FreeVPN.One, it's still available on the Chrome store (at the time of writing, anyway).

Hopefully it won't take much longer for Google to catch on and take action, but this is a clear lesson in being cautious about putting trust in browser extensions. As ever, you're wise to be wary, particularly if the add-on in question doesn't come from a brand or company you recognize.