FreeVPN.One, a Chrome extension with 100k+ installs and a verified badge, secretly captured screenshots of users’ browsing (including Google Sheets, banking pages, and photos) and exfiltrated them to aitd.one and related servers without consent. The extension escalated permissions over multiple updates, added encryption to hide exfiltration, and continued surveillance despite developer claims; #FreeVPN.One #aitd.one
Keypoints
- The FreeVPN.One Chrome extension silently captured screenshots of every webpage visit and uploaded them to aitd.one and scan.aitd.one without user consent.
- The extension requested broad permissions (, tabs, scripting) enabling content script injection and use of chrome.tabs.captureVisibleTab(), facilitating persistent surveillance.
- Updates between v3.0.3 and v3.1.4 show a timeline: added (Apr 2025), expanded scripts and “AI Threat Detection” (Jun 2025), live screenshot exfiltration (v3.1.3, July 17, 2025), and added AES-256-GCM + RSA wrapping (v3.1.4, July 25, 2025).
- Screenshots were captured automatically via a delayed 1.1s trigger from content scripts and uploaded bundled with URL, tab ID, and a unique user identifier to attacker-controlled endpoints.
- The “Scan with AI Threat Detection” UI falsely framed uploads as user-initiated scans, while background captures had already occurred continuously.
- The developer’s explanations (background scanning, future consent changes, no storage) conflict with observed behavior and lacked verifiable company credentials or responses.
- The extension’s use of encryption for exfiltration and verified/featured status on the Chrome Web Store highlights gaps in marketplace security and detection.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The extension injected and executed scripts on pages and used chrome.scripting.executeScript() when “Scan with AI Threat Detection” was clicked to capture full-page screenshots. Quote: ‘…triggering chrome.scripting.executeScript() to run code that captures full-page screenshots.’
- [T1602] Data from Local System – The extension captured visible tab contents (screenshots) including locally displayed sensitive data (e.g., Google Sheets, photos) using chrome.tabs.captureVisibleTab(). Quote: ‘…uses the tabs permission to use the captureVisibleTab() API and scripting permission to inject JavaScript dynamically.’
- [T1537] Exfiltration Over Web Service – Captured screenshots and metadata were uploaded to attacker-controlled servers aitd.one/ and scan.aitd.one (e.g., aitd.one/brange.php, aitd.one/analyze.php). Quote: ‘…sends an internal message captureViewport… executes the actual screenshot capture using Chrome’s privileged API chrome.tabs.captureVisibleTab()’ and ‘uploads it to aitd.one/analyze.php for server-side analysis.’
- [T1078] Valid Accounts (implied) – The extension leveraged granted browser extension permissions (tabs, ) as legitimate privileges to persistently access user content and capture data. Quote: ‘With the permission, the extension gains the ability to access every site you visit.’
- [T1140] Deobfuscate/Decode Files or Information – The extension used base64 encoding and later AES-256-GCM with RSA key wrapping to obscure and protect exfiltrated data in transit, complicating detection. Quote: ‘the extension queries IP geolocation APIs… transmits this data as base64-encoded analytics’ and ‘introduced AES-256-GCM encryption with RSA key wrapping to hide data in transit.’
Indicators of Compromise
- [Extension ID] Chrome extension identifier – jcbiifklmgnkppebelchllpdbnibihel (FreeVPN.One extension ID).
- [Domains] Exfiltration endpoints and infrastructure – aitd.one (brange.php, analyze.php), scan.aitd.one, extrahefty.com, freevpn.one (publisher/branding context).
- [File/Feature Names] UI and functionality indicators – “Scan with AI Threat Detection” (feature that triggers visible full-page capture) and “AI Threat Detection” branding.
- [Permissions] Suspicious permission set – , tabs, scripting (enables global content injection and captureVisibleTab usage).
Read more: https://www.koi.security/blog/spyvpn-the-vpn-that-secretly-captures-your-screen