Overview

• Koi Security’s Aug. 19 report details how FreeVPN.One covertly screenshots every page a user visits and uploads the images to developer-controlled servers.
• Researchers say the extension injects scripts across all sites, waits about 1.1 seconds, then uses Chrome’s captureVisibleTab() to silently grab screenshots and send them to aitd.one endpoints.
• The shift began after an April 2025 update added broad site access, with July versions enabling background screenshotting and later introducing AES-256 with RSA-wrapped obfuscation and a move to scan.aitd.one.
• Phandroid reports a newer v3.1.4 touts stronger AES‑256‑GCM encryption, yet the background screenshot capture persists according to researchers.
• The developer frames the behavior as security scanning, but researchers observed captures on benign services; users are urged to uninstall immediately and change credentials for accounts accessed during use.