From VPN to Spyware: The FreeVPN.One Chronicles
Blog
6
Posts
3
Posters
631
Views
1
Watching
-
From VPN to Spyware: The FreeVPN.One Chronicles
The Turning Point
FreeVPN.One began its life as a popular Chrome VPN extension. With over 100,000 installs and even a verified badge on the Chrome Web Store, it seemed legitimate. Privacy-conscious users trusted it for secure browsing—until now. Recent research has revealed a disturbing transformation: what was once a tool cloaked in privacy is now an invasive surveillance tool.
The Spyware Mechanism
A forensic investigation by Koi Security uncovered a chilling reality: the extension automatically takes full-page screenshots of every website a user visits. This includes sensitive content like personal messages, banking dashboards, and private photos. Here’s how it works:
- Utilizing Chrome’s
chrome.tabs.captureVisibleTab()API, the extension silently snaps screenshots behind the scenes. - Screenshots are bundled with metadata—like URLs, tab IDs, and unique user identifiers—and exfiltrated to a remote server
aitd.one/brange.phpwithout your consent or awareness.
Timeline of the Betrayal
Koi Security outlined a telling progression:
Date Version Behavior April 2025 v3.0.3 Requests new permissions; no spying yet June 2025 v3.1.1 “AI Threat Detection” branding; broader web access 17 July 2025 v3.1.3 Spyware becomes active: screenshots, location tracking, device fingerprinting begin 25 July 2025 v3.1.4 Exfiltration encrypted (uses AES-256‑GCM with RSA key wrapping) to evade detection tools Developer’s Excuses—and the Harsh Reality
The extension’s developer has tried to play it off as a “security scan”, claiming screenshots are only taken as part of this process. According to them, data isn’t stored but merely analyzed by AI. However:
- The screenshots encompass all sites—even innocuous ones like Google Sheets and banking portals.
- The UI’s “AI Threat Detection” button is essentially a decoy, as screenshotting begins automatically, long before any user interaction.
- Investigators found no legitimate company information tied to the publisher: the email leads to a bare Wix page with no corporate identity or transparency.
- Communication from the developer stopped entirely after initial outreach.
What Users Need to Know Now
-
Act Immediately
If you’ve used this extension:- Remove it from your browser immediately.
- Change passwords for any sites accessed while the extension was active.
-
Avoid Free VPN Extensions That Lack Transparency
This case is, unfortunately, not unique. Many free VPNs use your data as a revenue source, selling logs or loading tracking scripts—even when they claim to protect your privacy. -
Prioritize Audited and Trusted Services
Use VPNs with:- Strong privacy policies (e.g., audited ‘no‑logs’ claims).
- Clear, reputable ownership and transparency.
- Regular security audits.
-
Be Cautious with Browser Extensions
Even non‑VPN extensions can become attack vectors. Spy‑ware hidden in innocent‑looking add-ons is all too real.
Final Thoughts
FreeVPN.One turned from a convenient privacy tool into a dangerous spy tool in just a few months. This serves as a stark reminder: in the tech world, trust is hard-earned—but easily broken.
- Free doesn’t always mean benign. When you don’t pay, sometimes you are the product.
- Regularly audit your extensions. If something requests broad permissions or comes out of nowhere, it might not be worth the risk.
- Invest in transparency. Opt for tools backed by reputable companies, audited code, and clear policies.
Sources
https://spyboy.blog/2025/02/25/the-hidden-dangers-of-free-vpns-why-free-often-comes-at-a-high-cost
Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…
- Utilizing Chrome’s
-
From VPN to Spyware: The FreeVPN.One Chronicles
The Turning Point
FreeVPN.One began its life as a popular Chrome VPN extension. With over 100,000 installs and even a verified badge on the Chrome Web Store, it seemed legitimate. Privacy-conscious users trusted it for secure browsing—until now. Recent research has revealed a disturbing transformation: what was once a tool cloaked in privacy is now an invasive surveillance tool.
The Spyware Mechanism
A forensic investigation by Koi Security uncovered a chilling reality: the extension automatically takes full-page screenshots of every website a user visits. This includes sensitive content like personal messages, banking dashboards, and private photos. Here’s how it works:
- Utilizing Chrome’s
chrome.tabs.captureVisibleTab()API, the extension silently snaps screenshots behind the scenes. - Screenshots are bundled with metadata—like URLs, tab IDs, and unique user identifiers—and exfiltrated to a remote server
aitd.one/brange.phpwithout your consent or awareness.
Timeline of the Betrayal
Koi Security outlined a telling progression:
Date Version Behavior April 2025 v3.0.3 Requests new permissions; no spying yet June 2025 v3.1.1 “AI Threat Detection” branding; broader web access 17 July 2025 v3.1.3 Spyware becomes active: screenshots, location tracking, device fingerprinting begin 25 July 2025 v3.1.4 Exfiltration encrypted (uses AES-256‑GCM with RSA key wrapping) to evade detection tools Developer’s Excuses—and the Harsh Reality
The extension’s developer has tried to play it off as a “security scan”, claiming screenshots are only taken as part of this process. According to them, data isn’t stored but merely analyzed by AI. However:
- The screenshots encompass all sites—even innocuous ones like Google Sheets and banking portals.
- The UI’s “AI Threat Detection” button is essentially a decoy, as screenshotting begins automatically, long before any user interaction.
- Investigators found no legitimate company information tied to the publisher: the email leads to a bare Wix page with no corporate identity or transparency.
- Communication from the developer stopped entirely after initial outreach.
What Users Need to Know Now
-
Act Immediately
If you’ve used this extension:- Remove it from your browser immediately.
- Change passwords for any sites accessed while the extension was active.
-
Avoid Free VPN Extensions That Lack Transparency
This case is, unfortunately, not unique. Many free VPNs use your data as a revenue source, selling logs or loading tracking scripts—even when they claim to protect your privacy. -
Prioritize Audited and Trusted Services
Use VPNs with:- Strong privacy policies (e.g., audited ‘no‑logs’ claims).
- Clear, reputable ownership and transparency.
- Regular security audits.
-
Be Cautious with Browser Extensions
Even non‑VPN extensions can become attack vectors. Spy‑ware hidden in innocent‑looking add-ons is all too real.
Final Thoughts
FreeVPN.One turned from a convenient privacy tool into a dangerous spy tool in just a few months. This serves as a stark reminder: in the tech world, trust is hard-earned—but easily broken.
- Free doesn’t always mean benign. When you don’t pay, sometimes you are the product.
- Regularly audit your extensions. If something requests broad permissions or comes out of nowhere, it might not be worth the risk.
- Invest in transparency. Opt for tools backed by reputable companies, audited code, and clear policies.
Sources
https://spyboy.blog/2025/02/25/the-hidden-dangers-of-free-vpns-why-free-often-comes-at-a-high-cost
@phenomlab I have never used this, but this is excellent info and won’t even be looking at it. Thanks for this!
- Utilizing Chrome’s
-
@phenomlab I have never used this, but this is excellent info and won’t even be looking at it. Thanks for this!
@Madchatthew No problems.
-
With rare exceptions, if it’s free, either you’re the product or it’s no good
PW and WS Spirit alive
-
@DownPW in this case, you’d definitely be the product!
Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…
-
@DownPW said in From VPN to Spyware: The FreeVPN.One Chronicles:
With rare exceptions, if it’s free, either you’re the product or it’s no good
Yeah, you got that right!
