Store badges are not a safety net. Koi Security says a free Chrome VPN named FreeVPN.One captured screenshots of every site its users visited and sent them to remote servers. The extension carried Google Chrome Web Store Verified and Featured badges and had thousands of installs. Updates in July 2025 reportedly added the worst behavior, then shifted to avoid detection.
That combination matters. A VPN extension sits in your browser with broad visibility. If it phones home with images of your banking, health portals, and photo library, you face exposure that password changes cannot unwind. This case also shows how quickly a trusted looking add on can pivot and how slow store signals can be to catch it. If you rely on browser extensions for privacy or convenience, treat this as a warning. The risk sits one click away inside official stores.
How the Chrome VPN Extension Spied
Koi Security published research on the FreeVPN.One Chrome extension. The team reported that the extension takes a screenshot a few seconds after any page loads. It then transmits those images to external infrastructure for analysis. Researchers say scripts run to ensure capture quality. They observed screenshots from sensitive sites, including private photo libraries.
FreeVPN.One lists over 100000 installs on the Chrome Web Store. It displayed both the Verified and Featured badges. The extension was marketed as a free unlimited VPN. Early versions focused on VPN functions. Koi Security says recent updates added screenshot collection and location tracking. Later July updates added measures to evade analysis while the screenshot behavior continued. The extension includes a feature named AI Threat Detection. That feature also takes and uploads screenshots for server side checks. It discloses that behavior. Koi Security says the rest of the extension captures screenshots without clear disclosure.
The researchers contacted the developer. The developer replied that screenshots only occur on suspicious domains and that images are not stored. Koi Security reported captures from routine sites such as Google Photos, which conflicts with the suspicious domain claim. The developer stopped responding to further questions, according to the security firm. TechRadar covered the findings and the store badge context, including how a verified and featured extension with over 100000 users turned invasive after updates in July 2025, and why users should uninstall it now.
Separate coverage highlights the broad permissions FreeVPN.One requested, such as tabs and scripting, which enable code injection across sites, as detailed by Tom’s Hardware. The research did not confirm deletion or retention policies on the server side, only that screenshots were transmitted.
Why Screenshots Change the Risk
Screenshots turn vague telemetry into exact copies of your private life. A page image taken after login bypasses every comfort you rely on, from HTTPS to end to end encryption. It records what you saw in that moment. That can include bank balances, medical notes, private photos, chat threads, one time codes, and QR codes. Koi Security also observed location and device details sent with a unique identifier, which links those images to you.
Claims about limited use or no storage do not help you verify what happens once the data lands on a remote server. At scale, optical character recognition can mine screenshots for names, numbers, and keywords. Password resets cannot delete a captured statement or a family photo that already left your laptop.
This also exposes a weak point in how we judge trust. A Chrome extension sits inside your browser with broad reach. One update can flip its behavior overnight with no new prompt. Store badges reward presentation and past reviews, not a continuing security audit. In this case the developer added encryption and moved servers, which makes network monitoring and consumer tools less likely to flag the traffic. You cannot expect antivirus or your ISP to catch a well masked exfiltration stream. The harm arrives through an official listing and auto updates while you go about normal browsing.
Free privacy tools bring a separate problem. A browser VPN extension only touches web traffic in that browser, yet it still gains permissions powerful enough to copy what you view. The AI Threat Detection branding shows how a security pitch can normalize invasive capture that runs all the time. If you used this extension while logged into email, cloud drives, or photo libraries, you face a leak you cannot roll back.
TenMostSecure Recommendations
If you installed FreeVPN.One or rely on browser extensions for privacy, cut exposure and change how you handle sensitive browsing. Prioritize actions that stop capture, invalidate useful crumbs, and prevent a repeat.
1. Remove and desync the extension everywhere. In Chrome go to Menu then Extensions then Manage Extensions and remove FreeVPN.One. In Chrome Sync turn off syncing of extensions, then repeat the removal on every device that uses your Google account.
2. Reset sessions and regenerate secrets for key accounts. Log out all devices for email, cloud storage, photos, banks, and social accounts, then sign back in fresh. Regenerate two step backup codes and any TOTP (Time-based One-time Password) secrets you shared as QR codes, and delete old ones.
3. Move second factors off the screen. Prefer passkeys or a hardware security key for high value accounts so no code appears on a page. If you use TOTP, keep it on a separate device and read the code from there.
4. Create a clean environment for sensitive tasks. Use Incognito for finance, health, and photo libraries since extensions stay off by default, or make a separate Chrome profile or a second browser with zero extensions for those tasks.
5. Limit what extensions can see going forward. For every extension you keep, set Site access to On click or On specific sites, and keep Allow in Incognito off. Review your extension list monthly and remove anything you do not need, especially free VPNs and security add ons.
6. Replace browser VPN extensions with a device VPN app. Use a reputable provider with independent audits and clear logging policies, installed at the system level, not inside the browser. If you are comparing options, our VPN comparison outlines safer choices with transparent governance.
The fixes above close the door and reduce how valuable any captured images remain. Make a clean profile for sensitive work, keep extensions on a short leash, and shift second factors to passkeys or a separate device. Store badges signal marketing, not a standing audit. Your baseline should be simple rules you control. No extensions on critical browsing. On click permissions for the rest. A real VPN outside the browser. Do those three things today and you avoid the next quiet pivot that turns convenience into exposure.