Analysis Summary

A malicious Chrome VPN extension, FreeVPN.One, with over 100,000 installations and even a verified badge on the Chrome Web Store, has been exposed as sophisticated spyware. Originally marketed as a legitimate privacy tool, the extension secretly captured continuous screenshots of users’ browsing sessions, exfiltrating highly sensitive data such as banking credentials, personal communications, and corporate documents. Despite being featured on the store, it functioned as a comprehensive surveillance platform, betraying the very privacy protections it claimed to offer.

The extension’s transformation from a genuine VPN service into spyware began in April 2025, when updates introduced overly broad permissions granting unrestricted access to user browsing activity. Analysts highlighted how these calculated updates enabled large-scale data collection, with evidence showing private images, financial details, and corporate records siphoned to attacker-controlled servers. The scale and stealth of this campaign are alarming given the verified status and trust the extension had gained among security-conscious users.

From a technical standpoint, FreeVPN.One deployed content script injection across all HTTP and HTTPS sites using a global matching pattern, ensuring every visited page was monitored. The spyware leveraged a timed delay mechanism that triggered screenshots 1.1 seconds after page load to capture fully rendered data. These screenshots, along with metadata such as page URLs and unique user identifiers, were exfiltrated via Chrome’s captureVisibleTab API to remote servers (aitd[.]one), forming the backbone of its intelligence-gathering operation.

To avoid detection, recent versions adopted AES-256-GCM encryption with RSA key wrapping, effectively masking exfiltrated data flows from network-based monitoring tools. Combined with its elevated permissions (<all_urls>, tabs, scripting), this architecture provided attackers with unrestricted surveillance capabilities under the guise of VPN services. The case underscores the growing threat of supply chain abuse within browser extension ecosystems, where even verified and featured extensions can be weaponized into persistent spyware, endangering both individual privacy and corporate security worldwide.

Impact

• Sensitive Data Theft
• Gain Access
• Financial Loss

Remediation

• Block all the Malicious domains like: aitd.one, and freevpn.one
• Immediately uninstall the FreeVPN.One extension (and any other untrusted VPN/browser extensions).
• Run a full antivirus/endpoint scan to detect and remove any leftover malicious files or activities.
• Revoke stored credentials (banking, email, corporate accounts) that may have been exposed and change all passwords.
• Enforce Multi-Factor Authentication (MFA) on critical accounts to reduce risk of credential misuse.
• Monitor network traffic and logs for suspicious connections to attacker-controlled domains like aitd[.]one.
• Use browser extension whitelisting only allow extensions from trusted vendors with proven security.
• Apply browser security policies (via GPO/MDM) to restrict extensions that require <all_urls> and high-risk permissions.
• Conduct user awareness training so employees understand risks of installing unverified or suspicious extensions.
• Establish a continuous monitoring process to track malicious extension reports and update defenses quickly.