Dead phone batteries during emergencies are dangerous, but having your privacy violated by the very tool meant to protect it? That’s exactly what happened to 100,000+ Chrome users who installed FreeVPN.One.
This wasn’t some sophisticated hack or data breach. FreeVPN.One, complete with Google’s coveted “Verified” badge, was photographing every website you visited. Banking portals, private messages, photo galleries — nothing escaped its digital lens.
The Screenshot Scam Hidden in Plain Sight
How a trusted VPN extension turned every web page into surveillance footage.
The technical mechanism was brutally simple yet devastatingly effective. Using Chrome’s chrome.tabs.captureVisibleTab() API, FreeVPN.One captured full-page screenshots within seconds of each page load. Your Wells Fargo login, your Instagram DMs, your Google Photos — all automatically photographed and shipped off to servers controlled by anonymous developers.
The extension even promoted an “AI Threat Detection” button that users could click for supposed security scans. Pure theater. The real surveillance was already running in the background on every site you touched.
A Masterclass in Gradual Permission Creep
The extension slowly expanded its reach over three months before activating full surveillance.
Like a Netflix series that gets progressively darker, FreeVPN.One’s evolution tells a chilling story:
- April 2025 brought broader permissions but no active spying
- June introduced the “AI Threat Detection” branding and expanded content scripts across all websites
- July 17th flipped the switch — silent screenshot capture, location tracking, and device fingerprinting went live
- Eight days later, they encrypted the data exfiltration, making detection nearly impossible
This wasn’t incompetence; it was calculated. While this malicious extension exploited system vulnerabilities, users facing various computer problems should stay vigilant about privacy threats from seemingly trusted sources.
When Privacy Tools Become Predators
The developer’s weak excuses crumbled under scrutiny from security researchers.
Caught red-handed by Koi Security researchers, the developer claimed screenshots were just part of “security scanning.” Yet the extension operated indiscriminately on Google Sheets and Google Photos — hardly malicious sites requiring protection.
No verifiable company presence existed, just a bare-bones Wix page with zero corporate details. When pressed for transparency about data handling, the developer went silent. Classic scammer behavior when the spotlight gets too bright.
Google eventually removed FreeVPN.One from the Chrome Web Store, but questions remain about how long this digital voyeurism operated undetected. If you installed this extension, remove it immediately and change passwords for any sensitive accounts accessed during its surveillance period, especially if you use password managers.
The brutal lesson? “Verified” badges mean nothing when the verification process can’t catch extensions that literally photograph your screen. Your privacy deserves better than blind trust in app store badges, and with emerging technologies like digital IDs expanding, protecting your personal data becomes even more critical.
