In a chilling reminder that “free” doesn’t always mean safe, security researchers have uncovered a malicious browser extension masquerading as a legitimate VPN: Free Unlimited VPN. Despite being removed previously, a near-identical version has resurfaced on the Chrome Web Store, actively hijacking user traffic, altering proxy settings, and exfiltrating browsing data(Free VPN). This disturbing revelation highlights a broader risk: not all VPNs protect your privacy — some may violate it.
What’s Going On: The Return of a Dangerous VPN Extension
According to a recent report from LayerX Security, a new variant of the “Free Unlimited VPN” extension has reappeared on the Chrome Web Store, racking up over 31,000 installs in its revived form.
This isn’t the first time such an extension made waves — prior versions, which looked almost identical, had reportedly amassed more than 9 million downloads before they were removed.
But this iteration is more technically advanced, making it harder to spot and harder to remove.
How It Works: Surveillance Disguised as Privacy
At face value, the extension promotes itself as a simple, no-frills, unlimited VPN — no ads, no login, just privacy. But that’s a façade. LayerX’s analysis revealed that the extension:
Alters proxy settings using remotely controlled PAC (Proxy Auto-Config) scripts. (Daily
Intercepts and redirects web traffic through attacker-controlled servers, giving the threat actor full visibility into users’ browsing.
Uploads browsing data, including hashed URLs, to remote servers to profile users.
Removes traces of its malicious behavior by manipulating browser history and using timing-based evasion to avoid detection.
Dynamically updates its code, downloading additional payloads and commands from command-and-control servers.
Perhaps most worrying: it maintains persistence. The extension reportedly uses “keepalive” scripts injected into tabs to prevent Chrome from unloading its background processes.
Why This Matters: Privacy Risk, Not Protection
VPNs are widely used to protect privacy, encrypt traffic, and bypass geoblocks. But when a VPN extension secretly logs your data, it does the opposite — it betrays your trust.
LayerX’s findings suggest this campaign is not some amateur operation. The fake VPN extensions have been active in various forms for nearly six years, exploiting users’ desire for free privacy tools.
Additionally, the extension’s repeated reappearance after Google’s takedowns underscores a major challenge: reactive removal is not enough. Malicious actors continuously evolve their tactics, and they’re finding ways to stay one step ahead of store defenses.
Not the Only One: A Broader Extension Threat
FreeVPN.One, another Chrome VPN extension, has also come under fire. Security researchers (Koi Security) found that it silently captures screenshots of every webpage a user visits — including sensitive ones like banking sites — and sends the images to a remote server.
Its transformation was gradual: earlier versions were more benign, but later updates added broad permissions (like <all_urls>) and deep scripting access, enabling full-page injections.
Experts have called out major weaknesses in Chrome’s audit process, noting how even “verified” or “Featured” extensions can hide malicious behavior.
What Experts Recommend: How to Stay Safe
Given this growing threat, security experts advise:
Uninstall suspicious VPN extensions immediately — especially free ones making big promises with no business model.
Use trusted, audited VPN providers, particularly well-known names with good reputations (e.g., Proton VPN).
Review extension permissions before installing — if a VPN extension asks for access to all sites or scripting permissions, treat it as a red flag.
Implement internal monitoring policies (for orgs): continuously monitor installed extensions, watch for behavioral anomalies, and enforce a strict vetting process.
Conclusion
The reappearance of the “Free Unlimited VPN” extension on the Chrome Web Store is a stark warning: not all VPNs are created equal. Rather than safeguarding your online activity, some “free” tools may be harvesting it. As cybercriminals get craftier, relying solely on marketplace oversight is no longer enough — users must remain vigilant. When it comes to privacy, sometimes paying for a reputable VPN is the safest choice.
