A free Chrome VPN extension with over 100,000 installs has been exposed by Koi Security for secretly spying on users, underscoring why open-source, community-audited tools are vital for privacy.
A free Chrome VPN extension with over 100,000 installs has been exposed as spyware, secretly capturing users’ browsing activity and uploading it. Researchers at Koi Security revealed that the add-on, marketed as a VPN, was in fact a voyeuristic surveillance tool.
The malicious behaviour emerged gradually. In April 2025, the extension requested <all_urls> access. By June, it had gained scripting permissions. In July, it escalated to capturing screenshots, collecting device and location data, and encrypting uploads to conceal exfiltration. Its mechanism involved injecting scripts into websites, waiting 1.1 seconds for full page load, and then using Chrome’s privileged API to grab screenshots of sensitive content ranging from banking details to private messages.
To mask its intent, the developer promoted an ‘AI Threat Detector’ feature that purportedly analysed pages for phishing by uploading screenshots. The extension’s privacy policy admitted to this practice, but described it as a security measure. Despite exposure, the extension remains live on the Chrome Web Store, still carrying Google’s ‘Featured’ badge. The developer initially claimed screenshots were limited to “suspicious” sites but stopped responding when pressed further.
The case raises broader concerns about Chrome Web Store checks, which failed to catch the repeated permission escalations. It also highlights the risks of proprietary, closed-source browser extensions, where opaque code and permission creep leave users unable to verify what software is doing.
Had the extension been open source, independent auditors could have flagged the malicious code long before 100,000 users were compromised. The scandal underscores the importance of transparent, community-audited, open source tools in sensitive domains like VPNs, browsers, and privacy tech. The old warning still applies: when security tools are free and closed, the user may be the product.
