Free VPN browser extensions can be tempting when you want to bypass geo-restrictions or protect your privacy without paying for a subscription. But a new report suggests that two seemingly harmless VPN extensions on Chrome and Firefox have been doing the exact opposite.

Researchers at Socket’s Threat Research Team have uncovered two browser extensions posing as free VPN services that were secretly updated to steal users’ clipboard contents. Combined, the Chrome and Firefox add-ons had nearly 3,700 users at the time of the researchers’ analysis, putting thousands of people at risk.

The affected extensions are:

  • VPN Go: Free VPN for Google Chrome (146 users)
  • Free VPN by VPN GO for Mozilla Firefox (3,522 users)
Free-VPN-by-VPN-Go-for-Firefox

According to Socket, both extensions genuinely functioned as VPN/proxy tools, making them appear legitimate. However, later updates quietly introduced malicious code that continuously monitored users’ clipboards and transmitted copied data to servers controlled by the threat actors. That may not sound alarming at first, but consider how often you copy sensitive information throughout the day.

Passwords, one-time verification codes, cryptocurrency wallet addresses, recovery phrases, API keys, login links, cloud credentials, and even banking information are frequently copied and pasted rather than typed manually. If a malicious extension can read everything you copy, it may gain access to some of your most valuable digital secrets.

What makes the campaign particularly concerning is how it evolved. Socket found that the original Chrome extension, first published in December 2025, behaved like a normal VPN. The clipboard-stealing functionality wasn’t introduced until an update released in late May 2026. The Firefox extension followed a similar pattern, with earlier versions appearing clean before later updates added the malicious behavior.

In other words, users may have installed what looked like a legitimate VPN months earlier, only for it to become malicious after an automatic update.

To make matters worse, both extensions publicly claimed they did not collect user data. Their store listings and privacy policy promised privacy-focused browsing, while the underlying code was actively collecting clipboard contents and sending them to attacker-controlled servers.

Socket has since reported both extensions to Google and Mozilla for review and removal. But when I checked, only Google has removed the extension from the Chrome Web Store, but Mozilla hasn’t. In fact, the extension has gained more users on Firefox since Socket’s reporting, now standing at 3,522, up from the previously reported 3,499 users.

VPN-Go-for-Chrome-extensions-removed
Google has already removed VPN Go: Free VPN from the Chrome Web Store

If either extension is installed on your browser, I strongly recommend removing it immediately. More importantly, you should assume that any sensitive information copied while the extension was active may have been exposed. That includes passwords, passkeys, recovery codes, cryptocurrency seed phrases, API tokens, cloud credentials, and any other confidential data you may have copied.

As a precaution, it’s also worth changing passwords for important accounts, rotating API keys where applicable, and enabling multi-factor authentication if you haven’t already.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.

Hillary Keverenge
2684 Posts

Tech has been my playground for over a decade. While the Android journey began early, it truly took flight with the revolutionary Lollipop update. Since then, it's been a parade of Android devices (with a sprinkle of iOS), culminating in a mostly happy marriage with Google's smart home ecosystem. Expect insightful articles and explorations of the ever-evolving world of Android and Google products coupled with occasional rants on the Nest smart home ecosystem.