11:50
Over 8 million users clicked "install," thinking they were downloading a VPN. It looked safe, and it was even verified by Google. But, as they installed, the extension ran code to steal their privacy. It would take a screenshot of every page, then upload it. It rerouted web traffic, stole browser data, and even stole entire AI conversations, including people's private thoughts. This is how a "free VPN" scammed millions… And it's still happening. A VPN, at the end of the day, is supposed to do something pretty simple.
It routes your internet traffic through another server so websites don't just see your home IP address, and it can also protect data in transit on public Wi‑Fi. That's the broad promise: privacy, security, and maybe access to content in another country. And to be fair, real VPNs can do that. Good ones exist, like Proton for example. But, for some, these real, safe, and secure VPNs often have a problem… they cost money. Some people just want it for free. But you know what they say. If it's free… YOU are the product. Soon, many people found themselves looking at the Chrome Web Store. Where they found… VPNs! And for free.
Like FreeVPN.One To you, this might already look quite sketchy, but for the less experienced, it just seemed like a free VPN. Unlimited access, simple install. Great! But it wasn't a regular application; it was an extension for Chrome. And that gives it a surprising amount of power. It can be granted permission to "read and change data on every website you visit," far beyond what most people realize they're consenting to. But what makes this even worse… is actually Google.
Google's Chrome Web Store has a Featured system that is supposed to mean the extension meets a higher standard and follows best practices. And… this one was featured, and it even had over 100,000 users! According to Google, to be featured, an extension had to be nominated, then reviewed by Google. If you don't read into it too much, that badge feels close enough to "verified by Google" themselves. Someone made sure it was safe. Or at least, someone should have. So, people click install. Here, the scam began its work.
A typical VPN only needs a few permissions to function, but FreeVPN.One requested much more. all_urls, tabs, and scripting … Strange… Permissions like this allowed it to collect data across the browser, on every site you visited. Very weird, but most users just click "accept" without reading, and that's honestly true about myself too. On the surface, the extension behaved like a normal VPN. But in the background, it scanned, tracked, and captured screenshots of every website its users visited, and sent that data elsewhere. And the way it did this is even more unsettling.
The extension injects a content script that runs on every web page opened by a user. But, unlike code optimized for quick load times, the first part of this script triggers a delay to ensure that the web page is fully loaded or that passwords are entered. After exactly 1.1 seconds, the script sent a command: "captureViewport." The viewport is the visible portion of a web page on a user's screen. This command was received by the extension's background service worker, which then captured a screenshot along with the page URL, tab ID, and a unique user identifier.
All of this happened silently, with no visual indicators or user interaction, allowing the extension to collect data without detection. The screenshots could include bank balances, medical portals, student records, client documents, email drafts, password reset pages, and anything opened in a browser tab. This creates serious risks: identity theft, doxing, targeted manipulation, blackmail, online impersonation, but for businesses, the threat may be even greater. As more companies rely on remote work, such surveillance could expose
sensitive corporate data, customer information, and internal documents. An investigation by Koi, a security company, made this public, and the reaction online was immediate. Users flooded review pages and forums with warnings. Then the media picked up on it. Then, the strangest thing happened… The developer responded? When confronted, the developer of "FreeVPN" claimed the screenshot capture was part of a background scanning feature meant for suspicious domains. But… it was taking screenshots from websites like Google Sheets and Google Photos? The excuse wasn't holding up. The developer also admitted the feature was enabled by default. Even worse. But, they promised "consent" would be required in a future update.
People pressed harder. Asking for a GitHub, LinkedIn, a company profile… They stopped responding… Yet, it turns out, this wasn't even the worst one, nor the one most downloaded. It turns out, you can do much worse with a Chrome extension. These VPNs managed to grab highly confidential information like salaries and client payments, some even had their bank accounts emptied. If you're a freelancer or run a business, putting financial information in lots of scattered, unknown tools, isn't the best idea. And for something that important, it's better to be safe than sorry. That's where Xero can help. Xero is a cloud-based accounting platform
that helps small businesses manage finances: with invoicing, bills, payments, payroll, sales tax, and more all in one secure location. Xero encrypts your business information, has multi-factor authentication, and 24/7 monitoring and surveillance. They even have a security noticeboard to keep you informed about recent scams and how to avoid them. Xero helps with one of the hardest parts of freelancing, which is surprisingly charging people. Following up if clients forget can be awkward, and what if they use a different payment method others didn't? What about different currencies? Xero gives your invoices a "pay now" button, which makes paying you easy, and accepts online payments, credit cards, even Apple & Google Pay.
Xero can automatically send clients reminders too. Xero will also help you easily prepare and file taxes, removing stress from one of the busiest times of the year. Xero have all kinds of plans. Whether you run a small business, are a freelancer, or just have a side-gig, Xero has the perfect plan for you. As of the time of making this video, Xero is offering 90% off for 6 months using the link below. Join 4.6 million subscribers, and start using Xero to get on top of your finances, and your privacy. Thank you to Xero for sponsoring our videos.
It was called "Urban VPN Proxy," and it had the same premise: A free VPN. 4.7 stars, 58,000 ratings, and over 6 million users. It even had the "featured" tag from Google. Wow! What could go wrong? Well, instead of screenshots, this one was after something different. When you installed it, it gave you a strange popup. "Our chrome extension provides real time protection. To provide these protections, we process certain browsing data such as ChatAI communication."
Complete nonsense, just to be clear. You don't need this to provide protection. Though, even stranger, on the Chrome Web store, it says "This developer declares that your data is Not being sold to third parties, outside of the approved use cases." Granted, it doesn't mention anything about AI conversations. But it gets worse. Inside the extension, was this code: Basically, when you visited an AI platform, like ChatGPT, the extension injected a script into the page. It then overrides the fundamental browser API, and wraps the original function so it passes through the extension first.
The data is then compressed and transmitted to Urban VPN's servers. This is an absurd breach of privacy. Every prompt you sent, every response, conversation timestamps, metadata, what AI platform and model. It was all being funneled away, out of sight. Lots of people now use AI chats like private notebooks: health questions, money problems, relationship dilemmas, job searches, legal confusion, work help, code, client data. While cynical, this is a gold mine for data brokers and marketers. What if something could open them and extract your chats for every AI without you ever knowing? To make matters worse, you couldn't turn it off. Even if the VPN is "off," there
was no way to disable this unless you uninstalled the extension. So, what happened? Well, the same foe appeared: A researcher at Koi had this same concern. And when they dug deeper, they found something much worse… Urban VPN is affiliated with Biscience, a data broker company previously investigated for suspicious practices, including collecting browsing histories from millions of users and selling the information through products like AdClarity and Clickstream OS. [Koi Security]: "BiScience has moved from collecting browsing history to harvesting complete AI conversations-a significantly more sensitive category of data." But many people likely downloaded this before it was a scam. Before July 2025,
there was no AI harvesting. Then, it was released in Version 5.5.0, with it turned on by default. The worst part is that these aren't just weird outliers. There's an entire industry hidden in browser extensions. And it's not just "Free VPNs." If you appreciate us shining light onto this sketchy industry of nefarious extensions, please subscribe! One morning, millions of households in the UK woke up to alarming reports about a VPN service called
Mobdro Pro IPTV+, a platform that had surged in popularity under new online safety restrictions. After the Online Safety Act passed, restricting content for teens and children, new rules made it harder to access apps like YouTube and X. VPN downloads in the UK surged almost overnight. One, was called Mobdro Pro IPTV, and it offered combined TV shows, films, and sports with a free VPN, all in one app. Yet, once permissions were given, malware called Klopatra began its work. Suddenly, people noticed their bank accounts were empty.
There is an entire industry of fake extensions and products, which trick you into giving up your privacy. 1ClickVPN, Urban Browser Guard, Urban Ad Blocker, and many more, with over 8 million users across Edge and Chrome. It's not just fake VPNs either. For example, this DeepSeek Chrome extension seems great and does what it says, but in secret, "also connects to malicious servers to send user data, receive commands, and execute arbitrary code." It's also in Crypto extensions, Productivity tools which leak your meeting details, PDF converters, translator tools, and even some ad blockers. Of course, not every extension is after your data. But there are hundreds of these,
and they are installed by millions. So, who's at fault? The problem here, at least in my opinion, is a lack of oversight. Which means the real share of this falls on Google and Microsoft. They didn't scam people… but, they enabled these extensions to run rampant, and even promoted them. They gave them a "featured" badge, and didn't do enough due diligence. Though, we can't say all users are blameless either. Much of this code is run in secret, but if you're giving a "free VPN" access to your AI chats… you're asking for it. So, what happened to all these scams? As of me writing this, FreeVPN.One is still up on the Chrome Web Store, unfortunately.
It seems like it was removed temporarily, but is now back. It seems as though Urban Proxy VPN and their other apps have been removed. But, just from Chrome, not from Edge, unfortunately. All of this is simply a vicious cycle, though. These extensions get removed, then reappear days later under a new name, doing the same thing. If you take away one thing from this video, it's this: Be wary of free VPNs and be careful what permissions you give. A free tier of a real VPN? That's okay. But make sure you do your research. At the end of the day, the best person who can protect you is yourself.
Speaking of sus activities, Discord has been recently creating a stir with their whole ID verification saga. Check out this video to learn more.
