Overview

• Researchers say FreeVPN.One snapped a screenshot about 1.1 seconds after every page load and sent the image with the URL, tab ID, and a unique user identifier to developer servers.
• Koi Security’s timeline points to an April permission expansion to all sites, with silent screenshotting and data exfiltration starting July 17.
• The extension reportedly added AES‑256‑GCM with RSA key wrapping and shifted exfiltration subdomains to make the transfers harder to detect.
• The developer initially denied the findings, claiming screenshots targeted only suspicious domains, then stopped responding to requests for verification.
• Despite user complaints and the research report, the extension remains on the Chrome Web Store with trust‑signaling badges, and experts advise uninstalling it, scanning devices, and changing passwords.