Malicious ‘Free’ VPN Extension with 9 Million Installs Hijacks User Traffic and Steals Browsing Data

A deceptive browser campaign has exposed millions of users to extensive surveillance through seemingly innocent VPN extensions. Chrome extensions marketed as “Free Unlimited VPN” services accumulated over 9 million installations before security detection, with the malware remaining hidden for nearly six years.

These tools promised simple privacy solutions with single-click activation, yet delivered precisely the opposite: complete visibility into user browsing habits and network traffic.

The extensions operated as remote-controlled proxy systems rather than traditional VPNs. They fetched hidden configuration files from attacker-controlled servers, altered proxy settings in real time, and intercepted every browser navigation event.

By redirecting traffic through unauthorized servers, the attackers gained access to sensitive information, including login credentials, financial data, and personal browsing patterns.

The campaign demonstrates how straightforward permissions, when combined with minimal oversight, transform legitimate-appearing tools into surveillance instruments.

LayerX Security analysts identified and documented the campaign, discovering two primary versions available from 2019 through May 2025.

After removal, a third nearly identical extension appeared just two months later, suggesting the operators remained committed to maintaining their attack infrastructure.

Extension A, created in September 2019, and Extension B, launched in May 2020, shared the support domain free-vpn.pro and exhibited nearly identical malicious behavior.

Extension C emerged in July 2025, displaying stealthier techniques while maintaining the same fundamental goals.

From Detection Evasion to Dynamic Control

The 2025 version demonstrated remarkable advancement in evasion tactics and persistence mechanisms. Unlike earlier iterations, this variant employed two-second delays before proxy activation, likely designed to bypass sandbox-based analysis tools commonly used in security research.

The extension downloaded core proxy routing logic at runtime and executed it dynamically, preventing static code analysis from revealing the full attack chain.

The extension scanned for competing proxy tools and disabled them entirely, ensuring exclusive control over user traffic. It enumerated installed extensions and periodically hashed visited URLs, transmitting this profiling data to remote command-and-control servers.

The malware injected keepalive scripts into browser tabs to maintain persistence, preventing Chrome’s security mechanisms from unloading the malicious background worker.

History tampering through history.replaceState() erased forensic evidence of redirect operations, complicating investigation and remediation efforts.

The extension further modified proxy settings through remote PAC scripts, enabling attackers to redirect victims to phishing pages or advertisement farms without user interaction.

This approach allowed post-installation behavior modifications, bypassing Chrome Web Store review processes after the extension received approval.

These discoveries reveal critical security vulnerabilities in browser extension architecture. Extensions granted broad permissions lack adequate runtime oversight, transforming trusted tools into covert attack platforms.

Users installing free VPN services face substantial risks, as operators can intercept all traffic, harvest credentials, and conduct targeted follow-up attacks while maintaining complete remote control over compromised browsers.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.