A "free VPN" browser extension sounds like an easy win. You add it in one click, and your traffic looks protected. But in May 2026, security researchers warned that some of these extensions were not protecting users at all. They were reading the clipboard and stealing what people copied. This guide explains what was found, why it matters, how to spot the risk, and what to do now. The facts here come from reports by CyberInsider, TechRadar, and other security outlets.
What researchers flagged
In May 2026, researchers urged users to remove two extensions right away, according to CyberInsider and TechRadar:
- "VPN Go: Free VPN" on Chrome.
- "Free VPN by VPN GO" on Firefox.
Both looked like normal free VPN tools. Inside, researchers spotted code that read the clipboard and sent the contents away in the background. If you have either one, remove it now.
How the clipboard theft worked
The method was simple but effective. According to the researchers, the code:
- Read the clipboard about twice per second (every 500 milliseconds).
- Skipped duplicates, so it only grabbed new text.
- Cut the copied text into chunks of about 1,000 characters.
- Sent those chunks to a background service worker for exfiltration.
Your clipboard holds more than you think. People copy and paste sensitive text all day. A reader that runs in the background can catch a lot of it.
Why the clipboard is a rich target
Think about what you copy on a normal day:
- Passwords pasted from a manager.
- MFA codes copied from a text or app.
- API keys and OAuth tokens.
- Cloud logins and admin credentials.
- Crypto wallet addresses and recovery phrases.
Any of these can be captured in the moment you copy them. A crypto recovery phrase alone can drain a wallet. That is why clipboard stealers are so valued by attackers.
An extension can do far more than read the clipboard
The clipboard is only one door. A browser extension can ask for wide access. Once you approve it, a malicious extension can:
- Log the passwords you type.
- Steal session cookies to hijack accounts you are logged into.
- Take screenshots of your screen.
- Track the sites you visit.
- Inject fake login forms into real pages.
- Redirect you to phishing sites.
The extension lives inside the browser. It sees what you see. That is a lot of power to hand to an unknown developer. If you are unsure whether a VPN is trustworthy at all, our guide on whether VPNs are safe walks through the honest answer.
This is not a small problem
The scale is real. According to researchers, malicious browser extensions affected more than 2.3 million people in 2025. And it is not only tiny unknown tools.
Urban VPN Proxy, which reported around 6 million installs, was caught collecting full transcripts of AI chat conversations, according to reporting on the case. A popular extension with millions of users still turned out to harvest data. Popularity is not proof of safety.
The most dangerous part: it turned bad after gaining trust
Here is the detail that makes this so hard to catch. According to the researchers, the clipboard theft was not present at launch. The code was added later, through an ordinary-looking update, after the extension had already earned user trust.
Most people never check what an update changes. So an extension can be clean for months, pass store review, collect good ratings, and then turn malicious in one silent update. A clean install today is no promise about tomorrow.
How to spot a risky "free VPN" extension
No single sign is proof, but these raise the risk:
- It is a VPN that is only a browser extension, with no real app.
- The developer is unknown or hard to identify.
- It asks for broad permissions it does not need.
- The privacy policy is vague, missing, or copied.
- It is free with no clear business model. Running a VPN costs money. If you are not paying, your data may be the product.
What to do right now
If you use one of the named extensions, or any doubtful free VPN extension, act in this order:
- Remove the extension. Delete it from Chrome or Firefox now.
- Change exposed passwords. Update any password you copied while it was installed. Start with email, banking, and crypto.
- Rotate keys and tokens. Replace any API keys, OAuth tokens, or recovery phrases you may have copied.
- Check your accounts. Sign out of all sessions where you can, and review recent logins.
- Switch to a reputable VPN. Choose a known provider with a clear no-logs policy and a real app, not an unknown extension-only tool.
For a wider look at protecting your data, see our roundup of privacy tools and our guide to public Wi-Fi risks.
The bottom line
Free VPN browser extensions can look harmless and still steal your most sensitive data. In May 2026, researchers found real examples reading the clipboard every half second, according to CyberInsider and TechRadar. The worst part is that the theft was added after the tool gained trust. So treat any free, extension-only VPN with care. Remove what you cannot verify, change what may be exposed, and choose a VPN you can actually trust.
Secure your connection with NordVPN
Threat Protection blocks trackers & malware · kill switch · 30-day money-back


