While they’re useful, browser extensions can also require a lot of access to what you do in your browser. And if your worst nightmare is having a third-party tool take screenshots of your browsing and send them off to a third-party company, I have bad news for you.
A “Featured” Chrome Extension Is Snooping on You
Koi Security has published a report on how the Chrome extension FreeVPN.One extension abuses Chrome’s extension permission system to take constant screenshots of your browsing. And this isn’t some random extension that was uploaded last week and has no users. Its Chrome Web Store page boasts over 100,000 installs, a Featured badge, and a checkmark assuring that “The publisher has a good record with no history of violations”.
Once installed, this extension goes to work capturing data in the background without making you aware that it’s doing this. Every time you load a page, it silently takes a screenshot while also capturing data about the page you’re on, like the URL and any identifiers unique to you. It then ships this info off to a server that the extension developer controls.
While it started as only a VPN, the extension has since added “AI Threat Detection” to its offering. This provides a page where you can paste any URL, and AI will (ostensibly) analyze whether it’s safe. The privacy policy for this page does mention that it will upload a screenshot, but makes no mention of the screenshots being taken constantly in the background.
The Monitoring Increased Over Time
The Koi Security report explains how this didn’t happen all at once. The FreeVPN.One extension has been around for a while, with reviews going back to at least 2020. However, the tracking behavior didn’t start until April 2025. That’s when the extension was updated to request access to all URLs you visit—a far greater permission than a VPN should need.
In June 2025, the extension received another update to include the mentioned “AI Threat Detection” tool, along with another permission to inject scripts. This scanner was likely added as a pretext for the screenshot capture and upload. Then, on July 17, 2025, the extension received another update with full spying capabilities. On July 25, another update added encryption of the exported data, making it harder to notice what was going on.
The folks from Koi reached out to the developer, but his claims don’t add up. He claimed that screenshots should only trigger on suspicious sites, but the Koi team saw screenshots captured on well-known domains like Google Photos.
He stated that screenshots are not stored, but there’s no way to prove this. And he stopped responding when they asked for proof that any of this was tied to a legitimate company. The developer’s contact email on the Chrome extension page points to a generic Wix starter page.
We’ve seen many times how Chrome extensions can become a threat—even those that were once legitimate. And while it’s ridiculous that this spyware is currently “Featured” on the Chrome Web Store, there are lessons to take away that will help you avoid similar situations in the future.
First, be vigilant about permissions when installing Chrome extensions. When you click Add to Chrome, you’ll see a pop-up letting you know what permissions it requires. Think about what that extension might need to do the job it’s promising. In this case, there’s no need for a VPN to manage your extensions and change data on all websites.
Second, it’s always wise to do a quick scan of the material associated with apps or extensions you consider downloading. The Overview for this extension has numerous bits of awkward wording and poor grammar, including “chrome” and “ip” being lowercase.
And its statement “Free VPN is unlimited and completely free for anyone to use” is a huge red flag. While legitimate free VPNs are fine to use, all VPNs need to make money somehow. No VPN provider can offer its services for free, forever. Like “lifetime” VPN offers, this is either a sign that the VPN provider is new and naïve, or that they have malicious intentions.
The website for this VPN is also incredibly basic; you’d expect more than an amateurish design for something that’s been around for years. While small-time developers aren’t going to have impressive sites that rival major companies, they’ll often at least have a GitHub page, a contact page, or something that shows they aren’t developing in complete secrecy.
Vet the browser extensions you use carefully, and don’t trust random free VPNs that have no ties to real companies. There are enough well-known VPNs available that you should never open yourself to risk by installing one of these.
