A popular free VPN has been accused of spying on its userbase after security researchers observed it taking non-consenting screenshots of user browsing activity.
Research from Koi Security found Chrome browser extension FreeVPN.One silently took screenshots only “seconds after any page loads” in a user’s browser, then sent them to an external platform for server-side analysis.
With over 100,000 downloads on the Chrome Web Store and a ‘Featured’ badge that affirms the extension “follows recommended practices for Chrome extensions”, Koi alleged the VPN meticulously timed its screenshots with a delayed trigger to ensure webpages had fully rendered before capture.
“Think about your own daily browsing like opening a Google Sheet with sensitive company information, logging into your bank account, browsing a dating app, or viewing private family photos,” wrote security researcher Lotan Sery.
“Every one of those moments, captured as screenshots and shipped away without your consent.”
Koi alleged screenshots were taken in the background with “no user action” or “UI hint”, while the extension further collected device information and queried for user location details on installation and at startup.
“Most people turn to a VPN for one reason: privacy,” said Sery.
“FreeVPN.One looked like a safe choice, but once it’s in your browser it’s not working to keep you safe, it’s continuously watching you.”
Koi listed the Google-featured VPN as having a ‘critical’ risk level and engaging in “spyware activity” that secretly collects “user or device information without authorisation.”
As FreeVPN.One appears in the Chrome store. Source: Chrome store
Google did not respond to Information Age prior to publication when asked about the alleged spyware extension.
The extension is still available for download at the time of writing.
Don’t worry, it’s for an AI scanner
Notably, FreeVPN.One had a valid reason to capture full-page screenshots: its clickable ‘Scan with AI Threat Detection’ feature is explicitly advertised as using an “immediate screenshot of the current webpage” to scan the page with an AI tool that checks “for phishing or crypto scam indicators”.
Koi conceded that, to the VPN’s credit, its privacy policy does indeed disclose the AI feature may upload page screenshots and URLs to its secured servers.
However, Koi ultimately found the extension had separately taken “many more screenshots in the background”.
“The UI presents it as a one-time, local scan, but the surveillance is already well underway,” wrote Sery.
Koi accused the VPN extension of requesting excessive browser permissions, including an ‘<all_urls>’ permission that enables extensions to access “every site” a user visits, a ‘tabs’ permission that was needed to use one of Chrome’s screenshot APIs, and a ‘scripting’ permission which was needed to inject some related Javascript.
Koi found the latter “scripting permission” only kicked in once users clicked the AI threat detection feature, while the three permissions combined “opened the door to persistent surveillance”.
Koi also alleged a July update made it harder to detect the screenshot exfiltration after FreeVPN.One introduced stronger encryption to “hide” data in transit.
If it’s free, you’re the product
According to data from Google Trends, searches for “free VPN” in the UK spiked 900 per cent from 26 June to 26 July – the day after the UK’s Online Safety Act introduced age checks for platforms allowing certain mature content, including Reddit, Discord and Pornhub.
Those uncomfortable at the idea of uploading a selfie, providing ID, or running a credit card check to prove their age are increasingly using VPNs to re-route their internet connection to other, less regulated countries.
Robert Postill, founder of Melbourne data privacy outfit Privay said VPNs are positioned to become a “significant product” in Australia given the forthcoming youth social media ban.
“Free VPNs are like most free things on the internet – if you don't pay for the product, you are the product,” said Postill.
The FreeVPN.One website. Source: Internet
Postill told Information Age the FreeVPN.One discovery highlighted the challenges of relying on permissions in data privacy.
“I'd regard myself as technically sophisticated, and if I were using that product, I'd struggle to make the call that the browser rights this VPN asked for were not okay,” said Postill.
“Also, more enforcement by streaming platforms will drive people to look at VPNs.
“This case is likely the first among many.’
FreeVPN.One disputes findings
FreeVPN.One told Information Age the company does “not engage in spyware” and, given the seriousness of Koi’s allegations, it would be “consulting with legal counsel”.
“The claims made by Koi Security are inaccurate,” the company told Information Age.
Koi said it reached out to a company developer with the aim of determining whether there had been a misunderstanding – he reportedly gave “several explanations”, but Koi wasn’t satisfied.
According to the developer, the automatic screenshots were part of a background scanning feature which was only intended to trigger on suspicious domains – though Koi observed the feature taking screenshots of trusted services like Google Sheets and Google Photos.
The developer also alluded to a future update which would require explicit consent for the VPN’s background scanning, and emphasised its screenshots are not being stored or used outside of a brief threat analysis.
“When asked to provide evidence of legitimacy, such as a company profile, GitHub account, or LinkedIn page, the developer stopped responding to our emails,” wrote Sery.
FreeVPN.One told Information Age its privacy policy has “always disclosed” how its AI threat detection feature works, including the “use of screenshots for phishing protection.”
“We also follow Chrome’s requirements to encrypt sensitive data in transit – suggesting otherwise is misleading.”
