Cyber Threat Radar – A widely installed Chrome extension called FreeVPN.One, boasting over 100,000 installs and a verified badge on the Chrome Web Store, has been exposed for secretly capturing and exfiltrating users’ on-screen activity.
According to researchers at Koi Security, this extension turns your browser into a surveillance tool — screenshotting every page you visit and uploading it to attacker-controlled servers.
FreeVPN.One, marketed as a privacy-enhancing VPN, does the opposite. The tool silently captures full-page screenshots, along with sensitive metadata such as page URLs, tab identifiers, and user IDs. This data is transmitted to a domain controlled by the developer — aitd[.]one — without any user interaction or visible notification.
Researchers found that this behavior began with version 3.1.3 of the extension and escalated further in version 3.1.4, which introduced encryption (AES-256-GCM with RSA key wrapping) to obscure the exfiltrated data from detection tools. This deliberate obfuscation makes it harder for network monitoring systems to flag or block the malicious activity.
The extension’s spying activity is structured in two stages:
- A content script is injected into every HTTP and HTTPS page the user visits.
- A background service worker listens for a “captureViewport” signal and initiates screenshot capture.
This process starts automatically just 1.1 seconds after a web page loads — before any interaction takes place. That means personal messages, financial dashboards, photos, and other confidential information are captured the moment they appear on-screen.
Misleading Features and Developer Evasion
FreeVPN.One’s developer claims the screenshot feature is part of a “background scan” for security purposes. However, Koi Security documented that screenshots were taken on trusted websites like Google Sheets and banking portals — environments where this feature offers no legitimate protection.
The extension also includes a feature labeled “AI Threat Detector” which, when clicked, captures another full-page screenshot and sends it to a remote server for “analysis.” This UI function appears to be a decoy — as the background surveillance is already well underway long before the user clicks anything.
When pressed for transparency — such as company credentials or code repositories — the developer initially responded to Koi Security’s questions but then ceased communication. The only trace of legitimacy appears to be a generic Wix website (phoenixsoftsol.com) that lacks any verifiable company information.
At the time of writing, the extension remains available on the Chrome Web Store, maintaining its verified status.
Why FreeVPN.One Matters for the Broader Cybersecurity Community
This is not a breach in the traditional sense — no one hacked into FreeVPN.One. But it serves as a chilling reminder of how easily legitimate-seeming tools can be weaponized by insiders or bad actors posing as developers. The surveillance capabilities enabled by browser permissions and APIs — particularly Chrome’s captureVisibleTab — should not be underestimated.
Whether by design or through later manipulation, FreeVPN.One evolved from a VPN helper to a silent surveillance platform:
- It intercepts sensitive user activity across all websites
- Encrypts the stolen data for stealthy exfiltration
- Bypasses traditional detection by using native browser functions
Most users would never suspect a VPN extension to be the source of a privacy violation. This is precisely what makes FreeVPN.One so dangerous — and why this report is gaining attention across the security industry.
SentryBay’s Response to Screen-Based Surveillance Risks
“Whilst not a data breach, it’s a textbook example of how these mechanisms can be exploited,” said Brent Agar, VP Corporate Development & Strategic Partnerships, SentryBay. “A single screenshot might be brushed off. But in the hands of a threat actor, that mechanism can enable mass visual data capture – silently and continuously. At SentryBay, we highlight the importance of securing endpoints against this exact type of risk – not just from external threats, but from insider vulnerabilities introduced through unmanaged extensions and excessive permissions. Browser-level protection is no longer optional – it’s essential.”
This kind of visual exfiltration is no longer theoretical. AI-powered malware now routinely uses OCR (Optical Character Recognition) to scan screenshots, extracting sensitive text and converting it to structured JSON. Names, financial records, IDs, health data — all are at risk.
SentryBay’s Armored Client addresses this directly. It neutralizes screen capture malware by blacking out the visual layer at the system level, making OCR-based attacks useless. By combining this with keystroke encryption and proactive endpoint defense, Armored Client protects global enterprises from exactly these emerging threats.
In an era where on-screen content is as valuable — and vulnerable — as stored files, real protection means defending the endpoint before data can be seen, captured, or stolen.
