A Chrome extension marketed as a privacy tool has been caught doing the very opposite. FreeVPN.One, which has over 100,000 installs and even carries a verified badge on the Chrome Web Store, has been exposed for covertly taking screenshots of users’ browsers and transmitting them to a server controlled by its developer.
Researchers at Koi Security uncovered that the extension silently captures full-page screenshots within seconds of loading a site. These images often include highly sensitive content such as banking dashboards, private messages, and personal photos. The captured data, bundled with metadata like page URLs, tab IDs, and unique identifiers, was found to be uploaded to a server registered by the publisher under the domain aitd[.]one. The behavior relies on Chrome’s privileged chrome.tabs.captureVisibleTab() API, which enables screenshots to be taken in the background with no visible indication to the user.
According to the researchers, the spying mechanism is built on a two-stage structure. A content script is injected into every site visited, while a background service worker waits for a trigger command to initiate the capture. Although the extension promotes an “AI Threat Detection” button that also sends screenshots to aitd.one when pressed, Koi Security found that the surveillance begins long before users interact with the feature. They concluded that the button functions largely as a decoy.
The researchers traced the extension’s transformation over time. In April 2025, earlier versions requested broader permissions without yet engaging in surveillance. By June, a rebranded version introduced the “AI Threat Detection” label and expanded scripts across all websites. By mid-July, the spying features were fully active, capturing screenshots, device fingerprints, and user locations. Only days later, the extension added encryption, AES-256-GCM with RSA key wrapping to make the stolen data harder to detect during transmission.
When approached, the developer argued that the screenshots were part of a security scan meant to identify threats, and insisted that the data was not stored but only analyzed by AI tools. However, Koi Security noted that the extension captured data indiscriminately, including from widely trusted services like Google Sheets and online banking portals. The developer’s company details also raised concerns: the listed domain, phoenixsoftsol.com, resolves to a bare Wix page with no legitimate business information. After initially responding, the developer stopped engaging with researchers altogether.
Despite these revelations, FreeVPN.One remains available on the Chrome Web Store and continues to display its verified status. CyberInsider also attempted to contact the publisher but received no response.
For users, the advice is clear. Anyone who had FreeVPN.One installed should uninstall it immediately, change passwords for any services accessed through Chrome while the extension was active, and consider relying on established VPN providers with transparent privacy practices and independent security audits.
What was presented as a free tool for online safety appears instead to have been a sophisticated surveillance mechanism, raising urgent questions about Chrome’s extension vetting and verification process.