Fixxx
Moder
- Joined
- 20.08.24
- Messages
- 1,146
- Reaction score
- 4,591
- Points
- 113

The service pretended to be a helper for a long time and waited for the right moment to attack. Browser extensions increasingly request more permissions, but in the case of a free VPN, users didn’t get privacy protection - they got a hidden channel used to steal clipboard-copied data. Socket researchers discovered two VPN Go - branded extensions that were distributed via the Chrome Web Store and the Firefox add-ons catalog and posed as free VPN services. At the time of analysis, the Chrome extension had 146 users and the Firefox version had 3,499 users. Both products showed typical proxy features and allowed users to select VPN locations, making the broad network permissions look plausible. The malicious component ran in parallel and monitored the clipboard buffer.
The scheme evolved through updates. The first Chrome version examined behaved like a normal proxy extension. On May 31, 2026, version 1.1 added clipboard-reading code. In Firefox, malicious logic was first found in version 1.3.3. Later versions kept stealing data, but changed their infrastructure. The mechanism was simple and dangerous. The extension regularly read the copied text, skipped duplicates, split new data into chunks of roughly 1k characters and sent those chunks to hard-coded HTTP endpoints. In Chrome, checks ran every 0.5 seconds via a script on all sites; in Firefox, similar logic ran from a background script about every 1.5 seconds.
This approach doesn’t require directly hacking the system. Users themselves copy sensitive information (passwords, multi-factor authentication codes, API keys, tokens, seed phrases or cryptocurrency wallet addresses) and the extension gets access to that data through the clipboard-read permission. For a real VPN, clipboard access isn’t needed, nor is the constant sending of text fragments over HTTP. Socket reported the findings to Google and Mozilla for investigation and removal. Users are advised to uninstall VPN Go from Firefox if they were installed. Any secrets copied while the extension was active should be treated as compromised and replaced. Organizations should review installed extensions, especially permissions like clipboardRead, proxy, tabs, webRequest and access to all sites, and also look for outbound HTTP requests to the identified addresses with parameters such as uid, part, total and data.