AnonymFlow
securite-reseauINFO

Free VPN Browser Extensions Caught Stealing Clipboard Data: What to Remove Now

In May 2026, researchers flagged free VPN browser extensions that read the clipboard to steal passwords and crypto keys. Here is what to remove, how to spot the risk, and what to do next.

By Eric Gerard · Editor · AnonymFlow5 min readPhoto: Unsplash

A "free VPN" browser extension sounds like an easy win. You add it in one click, and your traffic looks protected. But in May 2026, security researchers warned that some of these extensions were not protecting users at all. They were reading the clipboard and stealing what people copied. This guide explains what was found, why it matters, how to spot the risk, and what to do now. The facts here come from reports by CyberInsider, TechRadar, and other security outlets.

What researchers flagged

In May 2026, researchers urged users to remove two extensions right away, according to CyberInsider and TechRadar:

  • "VPN Go: Free VPN" on Chrome.
  • "Free VPN by VPN GO" on Firefox.

Both looked like normal free VPN tools. Inside, researchers spotted code that read the clipboard and sent the contents away in the background. If you have either one, remove it now.

How the clipboard theft worked

The method was simple but effective. According to the researchers, the code:

  • Read the clipboard about twice per second (every 500 milliseconds).
  • Skipped duplicates, so it only grabbed new text.
  • Cut the copied text into chunks of about 1,000 characters.
  • Sent those chunks to a background service worker for exfiltration.

Your clipboard holds more than you think. People copy and paste sensitive text all day. A reader that runs in the background can catch a lot of it.

A browser developer tools panel showing HTML markup and CSS styles being inspected
A browser developer tools panel showing HTML markup and CSS styles being inspected

Why the clipboard is a rich target

Think about what you copy on a normal day:

  • Passwords pasted from a manager.
  • MFA codes copied from a text or app.
  • API keys and OAuth tokens.
  • Cloud logins and admin credentials.
  • Crypto wallet addresses and recovery phrases.

Any of these can be captured in the moment you copy them. A crypto recovery phrase alone can drain a wallet. That is why clipboard stealers are so valued by attackers.

An extension can do far more than read the clipboard

The clipboard is only one door. A browser extension can ask for wide access. Once you approve it, a malicious extension can:

  • Log the passwords you type.
  • Steal session cookies to hijack accounts you are logged into.
  • Take screenshots of your screen.
  • Track the sites you visit.
  • Inject fake login forms into real pages.
  • Redirect you to phishing sites.

The extension lives inside the browser. It sees what you see. That is a lot of power to hand to an unknown developer. If you are unsure whether a VPN is trustworthy at all, our guide on whether VPNs are safe walks through the honest answer.

This is not a small problem

The scale is real. According to researchers, malicious browser extensions affected more than 2.3 million people in 2025. And it is not only tiny unknown tools.

Urban VPN Proxy, which reported around 6 million installs, was caught collecting full transcripts of AI chat conversations, according to reporting on the case. A popular extension with millions of users still turned out to harvest data. Popularity is not proof of safety.

The most dangerous part: it turned bad after gaining trust

Here is the detail that makes this so hard to catch. According to the researchers, the clipboard theft was not present at launch. The code was added later, through an ordinary-looking update, after the extension had already earned user trust.

Most people never check what an update changes. So an extension can be clean for months, pass store review, collect good ratings, and then turn malicious in one silent update. A clean install today is no promise about tomorrow.

How to spot a risky "free VPN" extension

No single sign is proof, but these raise the risk:

  • It is a VPN that is only a browser extension, with no real app.
  • The developer is unknown or hard to identify.
  • It asks for broad permissions it does not need.
  • The privacy policy is vague, missing, or copied.
  • It is free with no clear business model. Running a VPN costs money. If you are not paying, your data may be the product.

What to do right now

If you use one of the named extensions, or any doubtful free VPN extension, act in this order:

  1. Remove the extension. Delete it from Chrome or Firefox now.
  2. Change exposed passwords. Update any password you copied while it was installed. Start with email, banking, and crypto.
  3. Rotate keys and tokens. Replace any API keys, OAuth tokens, or recovery phrases you may have copied.
  4. Check your accounts. Sign out of all sessions where you can, and review recent logins.
  5. Switch to a reputable VPN. Choose a known provider with a clear no-logs policy and a real app, not an unknown extension-only tool.

For a wider look at protecting your data, see our roundup of privacy tools and our guide to public Wi-Fi risks.

The bottom line

Free VPN browser extensions can look harmless and still steal your most sensitive data. In May 2026, researchers found real examples reading the clipboard every half second, according to CyberInsider and TechRadar. The worst part is that the theft was added after the tool gained trust. So treat any free, extension-only VPN with care. Remove what you cannot verify, change what may be exposed, and choose a VPN you can actually trust.

Editorial pick
4.6 / 5

Secure your connection with NordVPN

Threat Protection blocks trackers & malware · kill switch · 30-day money-back

Deloitte audit 202430-day guarantee14M+ users
See the offer
Everything you need to know.

Frequently asked questions

Which free VPN extensions were caught stealing data?

In May 2026, security researchers told users to remove two extensions right away, according to reports from CyberInsider and TechRadar. The first is 'VPN Go: Free VPN' on Chrome. The second is 'Free VPN by VPN GO' on Firefox. Researchers found code inside them that read the clipboard and sent the contents away in the background. If you have either extension, the advice is to remove it now and treat any data you copied while it was installed as exposed. Do not assume a free VPN extension is safe just because it has a clean name or good reviews.

How did the clipboard stealer work?

According to the researchers, the malicious code read the clipboard about twice per second, every 500 milliseconds. It skipped duplicates, so it only captured new text. It then cut the copied text into chunks of roughly 1,000 characters and sent them to a background service worker. From there the data could be sent out to a remote server. This matters because people copy sensitive text all the time: passwords, MFA codes, API keys, OAuth tokens, cloud logins, crypto wallet addresses, and recovery phrases. A clipboard reader that runs all day can catch a lot of this.

Why is a browser extension so dangerous?

An extension can ask for wide access to your browser. Once you grant it, a malicious extension can do far more than read the clipboard. It can log the passwords you type, steal your session cookies to hijack logged-in accounts, take screenshots, track the sites you visit, inject fake login forms, and redirect you to phishing pages. The extension sits inside the browser, so it sees what you see. That is why a bad extension can be worse than a bad app on your phone.

How big is the malicious extension problem?

It is large. According to researchers, malicious browser extensions affected more than 2.3 million people in 2025. The scale is not limited to small unknown tools. Urban VPN Proxy, which reported around 6 million installs, was caught collecting full transcripts of AI chat conversations, according to reporting on the case. So even a popular extension with millions of users can turn out to harvest data. Popularity is not proof of safety.

Why didn't antivirus or the store catch it sooner?

The trick is timing. According to the researchers, the clipboard theft was not present when the extension first launched. The code was added later through an update that looked ordinary, after the extension had already earned user trust. Most people never review what an update changes. An extension can be clean for months, pass review, gather good ratings, and then turn malicious in a single silent update. That is what makes this pattern so hard to detect.

What should I use instead of a free VPN extension?

Be careful with any 'free' VPN, and be extra careful with a VPN that is only a browser extension. Running a VPN costs money, so a free service has to earn income somewhere, and your data is often the product. A safer path is a reputable VPN with a clear privacy policy, an audited no-logs claim, and a real app rather than only an extension. If you want a VPN mainly for the browser, pick one from a known provider that also offers a full app, not an unknown extension-only tool.