A recent cybersecurity investigation has uncovered alarming details about FreeVPN.One, a so-called free Chrome VPN extension that secretly spied on over 100,000 users. Despite carrying Google’s Featured badge, which typically signals compliance with best practices, the extension was caught capturing screenshots, URLs, and geolocation data without user consent.
According to security researchers at Koi, FreeVPN.One automatically took a screenshot 1.1 seconds after loading any webpage. Each image, along with the page URL, tab ID, and a unique user identifier, was sent to the developer’s remote server. This surveillance happened quietly in the background, bypassing user awareness.
What makes this case more alarming is how the spyware was disguised under a legitimate-sounding feature called “Scan with AI Threat Detection.” While the privacy policy vaguely mentioned the possibility of transmitting some page snapshots to “secure servers,” researchers confirmed that the extension captured every visited page—even trusted services like Google Sheets and Google Photos.
Beyond screenshots, FreeVPN.One began collecting geolocation and device information in its recent updates. Using AES-256-GCM encryption with RSA keys, the extension made it difficult for users and researchers to detect the flow of stolen data. Koi’s report noted that the spyware activity escalated in April, when the extension’s permissions expanded to cover all visited sites. The critical date was July 17, when mass screenshotting and location tracking officially began.
When confronted, the lone developer initially denied wrongdoing, claiming screenshots were only triggered on suspicious domains. However, Koi presented irrefutable evidence showing otherwise. After being asked for proof of legitimacy—such as a corporate profile or verified GitHub account—the developer ceased communication. The only remaining contact trail is a basic Wix website created with a free template.
Despite the exposure, FreeVPN.One remains available on the Chrome Web Store, holding a 3.7-star rating. Its review section has now filled with angry user complaints citing the investigation. The fact that an extension with spyware behavior still holds Google’s Featured endorsement raises urgent questions about Chrome Web Store’s vetting process.
Conclusion: This case reinforces the cybersecurity warning that “free” often comes at a hidden cost. While many users seek free VPNs for privacy, FreeVPN.One exploited that trust to compromise sensitive information. As the scandal unfolds, experts stress the importance of vetting security tools and relying only on trusted providers. Chrome users are advised to uninstall FreeVPN.One immediately and monitor their accounts for unusual activity.
