A Google-featured VPN extension is reportedly carrying out suspicious activities that may compromise the security and privacy of its users.
In a new blog post, the cybersecurity firm Koi Security says that the Chrome extension FreeVPN.One has been silently accessing and capturing screenshots of the pages that users visit.
-->Says the firm,
“Seconds after any page loads, a background trigger grabs a screenshot and sends it to aitd[.]one/brange.php, bundled with the page URL, tab ID, and a unique user identifier. No user action, no UI hint, the screenshots are taken in the background without you ever knowing.”
Koi Security says the extension behaved like a basic VPN tool for years, but something changed following several updates that the developer rolled out this year. The updates included an “AI Threat Detection” that the firm says enabled broader access to websites.
“On May 31, 2025, the domain aitd.one was registered. A month later, v3.1.3 shipped, and the spying went live.
- Silent screenshots on every site
- Collection began, tracking your location and harvesting your device details
- Data exfiltration commenced, sending everything to the new aitd.one servers.”
Koi Security says the VPN service’s behavior poses risks to users, and its screenshots can sweep “passwords, banking details, personal messages, and any sensitive data rendered on your screen.”
“These images are then uploaded to a third-party server separate from the VPN provider, an exfiltration path entirely opposed with what a privacy tool should do.”
Read the full Koi Security report here.
