Home > VPN > VPN News

Malicious Chrome Extensions Steal User Data Through Fake Free VPN Tools

Published on November 21, 2025
Written by:
Rachita Jain
Rachita Jain
VPN Staff Editor
Malicious Chrome Extensions Steal User Data Through Fake Free VPN Tools
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google

Security researchers at LayerX Security have uncovered a long-running malicious campaign involving fake VPN and ad-blocking browser extensions that secretly intercept user traffic and steal browsing data. Despite multiple takedowns, the operators behind these extensions continue to revive the campaign with new versions designed to avoid detection.

According to LayerX, the latest wave of malicious extensions currently has more than 31,000 active installations, while earlier versions accumulated over 9 million installs on the Chrome Web Store.

The findings highlight the growing risk posed by browser extensions and how easily threat actors can exploit user trust, especially when promoting “free” privacy tools.

Six Years of Activity Behind a Polished Front

Researchers found that three fake Free VPN Chrome Extensions claiming to be “Free Unlimited VPN” services remained on the Chrome Web Store for nearly six years before they were identified as malicious.

These extensions used professional branding, convincing descriptions, and well-designed icons to appear legitimate. However, underneath, they contained hidden surveillance code capable of collecting user activity.

Extension Metadata by Layerx
Credit: LayerX

Two of the VPN extensions were removed in May 2025, but only two months later, a third extension, with almost identical visuals, descriptions, and internal behavior, returned to the store. As of now, this version remains available.

More Than Fake VPNs: Remote-Controlled Traffic Redirectors

LayerX researchers say these weren’t typical VPN tools. Instead, they acted as remote-controlled proxy redirectors, giving attackers control over the victim’s browsing activity.

The extensions downloaded hidden configuration files from attacker-controlled servers and modified browser proxy settings in real time. They also monitored navigation events, allowing them to intercept and redirect traffic as users browsed.

The 2025 version was even more advanced. Among its stealth features:

With these capabilities, attackers could intercept every page a user visited, collect full browsing histories, gather lists of installed extensions, and route traffic through malicious servers.

Privacy Breach and Ongoing Threats

The malicious extensions regularly collected hashed URLs from users’ browsing sessions and uploaded them to command-and-control servers for profiling. They also scanned installed extensions and intercepted navigation requests to enable targeted phishing, forced redirects, and potential malware downloads.

The campaign used advanced evasion tactics, including:

Researchers have identified six more extensions connected to the same threat actors, disguised as ad blockers and music downloaders. This indicates the operation is significantly larger than it first appeared.

What Users and Organizations Should Do

The repeated cycle of takedowns and reappearances shows that reactive measures alone are not enough to stop malicious extensions.

Experts recommend:

LayerX’s discovery of these fake free VPN Chrome Extensions serves as another reminder that browser extensions, often trusted without a second thought, can become powerful surveillance tools in the wrong hands.

Add a Comment
Related
Proton VPN server expansion reaches five new countries
Proton VPN Expands Server Network to Five New Countries Following User Demand
Russia VPN Crackdown Plans Expand Internet Control Measures
Russia VPN Crackdown Plans Expand Internet Control Measures
IPVanish Introduces Threat Protection Pro for Always-On Device Security
IPVanish Introduces Threat Protection Pro for Always-On Device Security
ExpressVPN Introduces ExpressAI, a Privacy-Focused AI Platform
ExpressVPN Introduces ExpressAI, a Privacy-Focused AI Platform
ExpressVPN Expands Beyond VPN with New All-in-One Security Suite
ExpressVPN Expands Beyond VPN with New All-in-One Security Suite
Mullvad Browser Alpha Update Adopts Rapid Release Model
Mullvad Browser Alpha Update Adopts Rapid Release Model
Most Popular
Drift Hack Exposes $28.5 Million DPRK Social Engineering Campaign Initiated Six Months Ago
Germany Reveals the Name of Alleged REvil Ransomware, GandCrab Leader Daniil Maksimovich Shchukin (UNKN)
Traffic Violation Scams Targeting US Residents Adopt QR Code Phishing Tactics
Cyber Job Moves: Leadership Updates for Cybersecurity, AI, and Enterprise Security
Weekly Cybersecurity News: Increased Focus on Supply Chain And Credentials To Expand Access
Former Employee Pleads Guilty to Insider Hacking and Extortion of US Industrial Company
Drift Hack Exposes $28.5 Million DPRK Social Engineering Campaign Initiated Six Months Ago
Germany Reveals the Name of Alleged REvil Ransomware, GandCrab Leader Daniil Maksimovich Shchukin (UNKN)
Traffic Violation Scams Targeting US Residents Adopt QR Code Phishing Tactics
Cyber Job Moves: Leadership Updates for Cybersecurity, AI, and Enterprise Security
Weekly Cybersecurity News: Increased Focus on Supply Chain And Credentials To Expand Access
Former Employee Pleads Guilty to Insider Hacking and Extortion of US Industrial Company

Most Popular
Drift Hack Exposes $28.5 Million DPRK Social Engineering Campaign Initiated Six Months Ago
Germany Reveals the Name of Alleged REvil Ransomware, GandCrab Leader Daniil Maksimovich Shchukin (UNKN)
Traffic Violation Scams Targeting US Residents Adopt QR Code Phishing Tactics
Cyber Job Moves: Leadership Updates for Cybersecurity, AI, and Enterprise Security
Weekly Cybersecurity News: Increased Focus on Supply Chain And Credentials To Expand Access
Former Employee Pleads Guilty to Insider Hacking and Extortion of US Industrial Company
Drift Hack Exposes $28.5 Million DPRK Social Engineering Campaign Initiated Six Months Ago
Germany Reveals the Name of Alleged REvil Ransomware, GandCrab Leader Daniil Maksimovich Shchukin (UNKN)
Traffic Violation Scams Targeting US Residents Adopt QR Code Phishing Tactics
Cyber Job Moves: Leadership Updates for Cybersecurity, AI, and Enterprise Security
Weekly Cybersecurity News: Increased Focus on Supply Chain And Credentials To Expand Access
Former Employee Pleads Guilty to Insider Hacking and Extortion of US Industrial Company

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: