Skip to content
Sudonix

From VPN to Spyware: The FreeVPN.One Chronicles

Blog
6 3 1.1k 1
  • phenomlabundefined

    From VPN to Spyware: The FreeVPN.One Chronicles

    The Turning Point

    FreeVPN.One began its life as a popular Chrome VPN extension. With over 100,000 installs and even a verified badge on the Chrome Web Store, it seemed legitimate. Privacy-conscious users trusted it for secure browsing—until now. Recent research has revealed a disturbing transformation: what was once a tool cloaked in privacy is now an invasive surveillance tool.

    The Spyware Mechanism

    A forensic investigation by Koi Security uncovered a chilling reality: the extension automatically takes full-page screenshots of every website a user visits. This includes sensitive content like personal messages, banking dashboards, and private photos. Here’s how it works:

    • Utilizing Chrome’s chrome.tabs.captureVisibleTab() API, the extension silently snaps screenshots behind the scenes.
    • Screenshots are bundled with metadata—like URLs, tab IDs, and unique user identifiers—and exfiltrated to a remote server aitd.one/brange.php without your consent or awareness.

    Timeline of the Betrayal

    Koi Security outlined a telling progression:

    Date Version Behavior
    April 2025 v3.0.3 Requests new permissions; no spying yet
    June 2025 v3.1.1 AI Threat Detection” branding; broader web access
    17 July 2025 v3.1.3 Spyware becomes active: screenshots, location tracking, device fingerprinting begin
    25 July 2025 v3.1.4 Exfiltration encrypted (uses AES-256‑GCM with RSA key wrapping) to evade detection tools

    Developer’s Excuses—and the Harsh Reality

    The extension’s developer has tried to play it off as a “security scan”, claiming screenshots are only taken as part of this process. According to them, data isn’t stored but merely analyzed by AI. However:

    • The screenshots encompass all sites—even innocuous ones like Google Sheets and banking portals.
    • The UI’s “AI Threat Detection” button is essentially a decoy, as screenshotting begins automatically, long before any user interaction.
    • Investigators found no legitimate company information tied to the publisher: the email leads to a bare Wix page with no corporate identity or transparency.
    • Communication from the developer stopped entirely after initial outreach.

    What Users Need to Know Now

    1. Act Immediately
      If you’ve used this extension:

      • Remove it from your browser immediately.
      • Change passwords for any sites accessed while the extension was active.

    2. Avoid Free VPN Extensions That Lack Transparency
      This case is, unfortunately, not unique. Many free VPNs use your data as a revenue source, selling logs or loading tracking scripts—even when they claim to protect your privacy.

    3. Prioritize Audited and Trusted Services
      Use VPNs with:

      • Strong privacy policies (e.g., audited ‘no‑logs’ claims).
      • Clear, reputable ownership and transparency.
      • Regular security audits.

    4. Be Cautious with Browser Extensions
      Even non‑VPN extensions can become attack vectors. Spy‑ware hidden in innocent‑looking add-ons is all too real.

    Final Thoughts

    FreeVPN.One turned from a convenient privacy tool into a dangerous spy tool in just a few months. This serves as a stark reminder: in the tech world, trust is hard-earned—but easily broken.

    • Free doesn’t always mean benign. When you don’t pay, sometimes you are the product.
    • Regularly audit your extensions. If something requests broad permissions or comes out of nowhere, it might not be worth the risk.
    • Invest in transparency. Opt for tools backed by reputable companies, audited code, and clear policies.

    Sources

    https://spyboy.blog/2025/02/25/the-hidden-dangers-of-free-vpns-why-free-often-comes-at-a-high-cost

    Mark
    Founder - Phenomlab Ltd

    Executive Technology & Security Leadership

    2
  • phenomlabundefined phenomlab

    From VPN to Spyware: The FreeVPN.One Chronicles

    The Turning Point

    FreeVPN.One began its life as a popular Chrome VPN extension. With over 100,000 installs and even a verified badge on the Chrome Web Store, it seemed legitimate. Privacy-conscious users trusted it for secure browsing—until now. Recent research has revealed a disturbing transformation: what was once a tool cloaked in privacy is now an invasive surveillance tool.

    The Spyware Mechanism

    A forensic investigation by Koi Security uncovered a chilling reality: the extension automatically takes full-page screenshots of every website a user visits. This includes sensitive content like personal messages, banking dashboards, and private photos. Here’s how it works:

    • Utilizing Chrome’s chrome.tabs.captureVisibleTab() API, the extension silently snaps screenshots behind the scenes.
    • Screenshots are bundled with metadata—like URLs, tab IDs, and unique user identifiers—and exfiltrated to a remote server aitd.one/brange.php without your consent or awareness.

    Timeline of the Betrayal

    Koi Security outlined a telling progression:

    Date Version Behavior
    April 2025 v3.0.3 Requests new permissions; no spying yet
    June 2025 v3.1.1 AI Threat Detection” branding; broader web access
    17 July 2025 v3.1.3 Spyware becomes active: screenshots, location tracking, device fingerprinting begin
    25 July 2025 v3.1.4 Exfiltration encrypted (uses AES-256‑GCM with RSA key wrapping) to evade detection tools

    Developer’s Excuses—and the Harsh Reality

    The extension’s developer has tried to play it off as a “security scan”, claiming screenshots are only taken as part of this process. According to them, data isn’t stored but merely analyzed by AI. However:

    • The screenshots encompass all sites—even innocuous ones like Google Sheets and banking portals.
    • The UI’s “AI Threat Detection” button is essentially a decoy, as screenshotting begins automatically, long before any user interaction.
    • Investigators found no legitimate company information tied to the publisher: the email leads to a bare Wix page with no corporate identity or transparency.
    • Communication from the developer stopped entirely after initial outreach.

    What Users Need to Know Now

    1. Act Immediately
      If you’ve used this extension:

      • Remove it from your browser immediately.
      • Change passwords for any sites accessed while the extension was active.

    2. Avoid Free VPN Extensions That Lack Transparency
      This case is, unfortunately, not unique. Many free VPNs use your data as a revenue source, selling logs or loading tracking scripts—even when they claim to protect your privacy.

    3. Prioritize Audited and Trusted Services
      Use VPNs with:

      • Strong privacy policies (e.g., audited ‘no‑logs’ claims).
      • Clear, reputable ownership and transparency.
      • Regular security audits.

    4. Be Cautious with Browser Extensions
      Even non‑VPN extensions can become attack vectors. Spy‑ware hidden in innocent‑looking add-ons is all too real.

    Final Thoughts

    FreeVPN.One turned from a convenient privacy tool into a dangerous spy tool in just a few months. This serves as a stark reminder: in the tech world, trust is hard-earned—but easily broken.

    • Free doesn’t always mean benign. When you don’t pay, sometimes you are the product.
    • Regularly audit your extensions. If something requests broad permissions or comes out of nowhere, it might not be worth the risk.
    • Invest in transparency. Opt for tools backed by reputable companies, audited code, and clear policies.

    Sources

    https://spyboy.blog/2025/02/25/the-hidden-dangers-of-free-vpns-why-free-often-comes-at-a-high-cost

    Madchatthewundefined

    @phenomlab I have never used this, but this is excellent info and won’t even be looking at it. Thanks for this!

    1
  • Madchatthewundefined Madchatthew

    @phenomlab I have never used this, but this is excellent info and won’t even be looking at it. Thanks for this!

    phenomlabundefined

    @Madchatthew No problems.

    Mark
    Founder - Phenomlab Ltd

    Executive Technology & Security Leadership

    0
  • DownPWundefined

    With rare exceptions, if it’s free, either you’re the product or it’s no good 🙂

    PW and WS Spirit alive

    phenomlabundefined Madchatthewundefined 2 Replies
    2
  • DownPWundefined DownPW

    With rare exceptions, if it’s free, either you’re the product or it’s no good 🙂

    phenomlabundefined

    @DownPW in this case, you’d definitely be the product!

    Mark
    Founder - Phenomlab Ltd

    Executive Technology & Security Leadership

    👍 🤣
    2
  • DownPWundefined DownPW

    With rare exceptions, if it’s free, either you’re the product or it’s no good 🙂

    Madchatthewundefined

    @DownPW said in From VPN to Spyware: The FreeVPN.One Chronicles:

    With rare exceptions, if it’s free, either you’re the product or it’s no good 🙂

    Yeah, you got that right!

    0
Log in to reply

Related Topics