From VPN to Spyware: The FreeVPN.One Chronicles
-
From VPN to Spyware: The FreeVPN.One Chronicles
The Turning Point
FreeVPN.One began its life as a popular Chrome VPN extension. With over 100,000 installs and even a verified badge on the Chrome Web Store, it seemed legitimate. Privacy-conscious users trusted it for secure browsing—until now. Recent research has revealed a disturbing transformation: what was once a tool cloaked in privacy is now an invasive surveillance tool.
The Spyware Mechanism
A forensic investigation by Koi Security uncovered a chilling reality: the extension automatically takes full-page screenshots of every website a user visits. This includes sensitive content like personal messages, banking dashboards, and private photos. Here’s how it works:
- Utilizing Chrome’s
chrome.tabs.captureVisibleTab()API, the extension silently snaps screenshots behind the scenes. - Screenshots are bundled with metadata—like URLs, tab IDs, and unique user identifiers—and exfiltrated to a remote server
aitd.one/brange.phpwithout your consent or awareness.
Timeline of the Betrayal
Koi Security outlined a telling progression:
Date Version Behavior April 2025 v3.0.3 Requests new permissions; no spying yet June 2025 v3.1.1 “AI Threat Detection” branding; broader web access 17 July 2025 v3.1.3 Spyware becomes active: screenshots, location tracking, device fingerprinting begin 25 July 2025 v3.1.4 Exfiltration encrypted (uses AES-256‑GCM with RSA key wrapping) to evade detection tools Developer’s Excuses—and the Harsh Reality
The extension’s developer has tried to play it off as a “security scan”, claiming screenshots are only taken as part of this process. According to them, data isn’t stored but merely analyzed by AI. However:
- The screenshots encompass all sites—even innocuous ones like Google Sheets and banking portals.
- The UI’s “AI Threat Detection” button is essentially a decoy, as screenshotting begins automatically, long before any user interaction.
- Investigators found no legitimate company information tied to the publisher: the email leads to a bare Wix page with no corporate identity or transparency.
- Communication from the developer stopped entirely after initial outreach.
What Users Need to Know Now
-
Act Immediately
If you’ve used this extension:- Remove it from your browser immediately.
- Change passwords for any sites accessed while the extension was active.
-
Avoid Free VPN Extensions That Lack Transparency
This case is, unfortunately, not unique. Many free VPNs use your data as a revenue source, selling logs or loading tracking scripts—even when they claim to protect your privacy. -
Prioritize Audited and Trusted Services
Use VPNs with:- Strong privacy policies (e.g., audited ‘no‑logs’ claims).
- Clear, reputable ownership and transparency.
- Regular security audits.
-
Be Cautious with Browser Extensions
Even non‑VPN extensions can become attack vectors. Spy‑ware hidden in innocent‑looking add-ons is all too real.
Final Thoughts
FreeVPN.One turned from a convenient privacy tool into a dangerous spy tool in just a few months. This serves as a stark reminder: in the tech world, trust is hard-earned—but easily broken.
- Free doesn’t always mean benign. When you don’t pay, sometimes you are the product.
- Regularly audit your extensions. If something requests broad permissions or comes out of nowhere, it might not be worth the risk.
- Invest in transparency. Opt for tools backed by reputable companies, audited code, and clear policies.
Sources
https://spyboy.blog/2025/02/25/the-hidden-dangers-of-free-vpns-why-free-often-comes-at-a-high-cost
Mark
Founder - Phenomlab LtdExecutive Technology & Security Leadership
- Utilizing Chrome’s
-
From VPN to Spyware: The FreeVPN.One Chronicles
The Turning Point
FreeVPN.One began its life as a popular Chrome VPN extension. With over 100,000 installs and even a verified badge on the Chrome Web Store, it seemed legitimate. Privacy-conscious users trusted it for secure browsing—until now. Recent research has revealed a disturbing transformation: what was once a tool cloaked in privacy is now an invasive surveillance tool.
The Spyware Mechanism
A forensic investigation by Koi Security uncovered a chilling reality: the extension automatically takes full-page screenshots of every website a user visits. This includes sensitive content like personal messages, banking dashboards, and private photos. Here’s how it works:
- Utilizing Chrome’s
chrome.tabs.captureVisibleTab()API, the extension silently snaps screenshots behind the scenes. - Screenshots are bundled with metadata—like URLs, tab IDs, and unique user identifiers—and exfiltrated to a remote server
aitd.one/brange.phpwithout your consent or awareness.
Timeline of the Betrayal
Koi Security outlined a telling progression:
Date Version Behavior April 2025 v3.0.3 Requests new permissions; no spying yet June 2025 v3.1.1 “AI Threat Detection” branding; broader web access 17 July 2025 v3.1.3 Spyware becomes active: screenshots, location tracking, device fingerprinting begin 25 July 2025 v3.1.4 Exfiltration encrypted (uses AES-256‑GCM with RSA key wrapping) to evade detection tools Developer’s Excuses—and the Harsh Reality
The extension’s developer has tried to play it off as a “security scan”, claiming screenshots are only taken as part of this process. According to them, data isn’t stored but merely analyzed by AI. However:
- The screenshots encompass all sites—even innocuous ones like Google Sheets and banking portals.
- The UI’s “AI Threat Detection” button is essentially a decoy, as screenshotting begins automatically, long before any user interaction.
- Investigators found no legitimate company information tied to the publisher: the email leads to a bare Wix page with no corporate identity or transparency.
- Communication from the developer stopped entirely after initial outreach.
What Users Need to Know Now
-
Act Immediately
If you’ve used this extension:- Remove it from your browser immediately.
- Change passwords for any sites accessed while the extension was active.
-
Avoid Free VPN Extensions That Lack Transparency
This case is, unfortunately, not unique. Many free VPNs use your data as a revenue source, selling logs or loading tracking scripts—even when they claim to protect your privacy. -
Prioritize Audited and Trusted Services
Use VPNs with:- Strong privacy policies (e.g., audited ‘no‑logs’ claims).
- Clear, reputable ownership and transparency.
- Regular security audits.
-
Be Cautious with Browser Extensions
Even non‑VPN extensions can become attack vectors. Spy‑ware hidden in innocent‑looking add-ons is all too real.
Final Thoughts
FreeVPN.One turned from a convenient privacy tool into a dangerous spy tool in just a few months. This serves as a stark reminder: in the tech world, trust is hard-earned—but easily broken.
- Free doesn’t always mean benign. When you don’t pay, sometimes you are the product.
- Regularly audit your extensions. If something requests broad permissions or comes out of nowhere, it might not be worth the risk.
- Invest in transparency. Opt for tools backed by reputable companies, audited code, and clear policies.
Sources
https://spyboy.blog/2025/02/25/the-hidden-dangers-of-free-vpns-why-free-often-comes-at-a-high-cost
@phenomlab I have never used this, but this is excellent info and won’t even be looking at it. Thanks for this!
- Utilizing Chrome’s
-
@phenomlab I have never used this, but this is excellent info and won’t even be looking at it. Thanks for this!
@Madchatthew No problems.
-
With rare exceptions, if it’s free, either you’re the product or it’s no good
PW and WS Spirit alive
-
@DownPW in this case, you’d definitely be the product!
Mark
Founder - Phenomlab LtdExecutive Technology & Security Leadership
-
@DownPW said in From VPN to Spyware: The FreeVPN.One Chronicles:
With rare exceptions, if it’s free, either you’re the product or it’s no good
Yeah, you got that right!
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login