Security researchers at LayerX Security have uncovered a long-running campaign of malicious browser extensions pretending to be “Free Unlimited VPNs.” Over the years, these extensions collected over 9 million installs, giving attackers full control over user browsing traffic. Even after removal, a third extension quickly appeared in 2025, showing the persistence of this threat.
Free VPNs promise privacy, speed, and global access with a single click. For many users, they are an easy way to bypass restrictions or hide their IP addresses. But in this case, “free” came at a high cost: attackers gained complete visibility into browsing habits, installed extensions, and network traffic. I have already written a detailed guide explaining whether free VPNs are safe.
These extensions were not typical VPNs. They acted as remote-controlled proxy redirectors, meaning attackers could intercept, modify, or redirect every page you visited. They updated themselves dynamically using hidden configuration files and stayed hidden in the browser using advanced techniques:
- Remote PAC scripts: Controlled proxy settings to route traffic through attacker servers.
- Navigation interception: Captured every page visit using browser APIs.
- Dynamic rule updates: Modified routing and filtering on the fly.
- Persistence mechanisms: Keepalive scripts ensured the malicious extension stayed active.
- Disabling other extensions: Removed competing VPNs or security tools to maintain control.
- Exfiltration: Sent hashed URLs, extension lists, and other metadata to remote servers.
The newer 2025 version added stealth improvements like delayed proxy activation to avoid detection and even more dynamic control over the victim’s browser.
Read: Why You Should Avoid Random Free VPN Apps
If installed, these malicious VPNs could perform the following things:
- Monitor every site you visit.
- Steal login credentials, session cookies, and personal data.
- Redirect you to phishing pages or unwanted ads.
- Maintain control even after removal attempts.
This shows that free VPNs with broad permissions are extremely risky. What looks like a simple privacy tool can quickly turn into a long-term surveillance system.
The campaign has bounced back like a roly-poly toy. Past extensions had millions of installs. It means 9 million collective installs before removal in May 2025, and 31,000 active installs currently. Other variants included malicious ad-blockers and music downloaders, showing that attackers adapt quickly.
Also see:
If you want to keep yourself safe, you need to uninstall suspicious extensions immediately. Check against known IOCs like: fgpecemjbefkjlcgnhjohdonijdkfooj and others listed in security reports. You should also clear browser data and rotate passwords for accounts used during the extension’s activity.
You should also start using a trusted paid VPN instead of free alternatives. Paid VPNs provide true encryption, no hidden tracking, and reliable customer support. Some recommended options include NordVPN, ExpressVPN, and Surfshark, which are audited, fast, and secure.
