Normal view

Yesterday — 1 July 2026Tech

That free VPN Chrome and Firefox extension may be reading your clipboard every half a second, researchers warn

  • Researchers found "VPN Go" extensions for Chrome and Firefox secretly harvesting copied text
  • The clipboard theft was not there at launch and arrived through a later update
  • Anything copied while the extension was active should now be treated as exposed

Security researchers at Socket found two browser extensions distributed under the "VPN Go: Free VPN" branding, one listed on the Chrome Web Store and one on Firefox Add-ons, to secretly harvest copied text.

Both present themselves as free VPN tools with working proxy features. Underneath, Socket says, both also run a clipboard stealer that continuously watches copied text and sends it to infrastructure controlled by the attacker.

According to Socket, the clipboard theft was not present when the extensions first appeared. It was added later, through an ordinary-looking update, after the extensions had already built up a base of trusting users. That staged approach is exactly what makes this kind of threat so hard to spot, and why even a fairly cautious user can end up exposed.

For anyone weighing up a no-cost privacy tool, it is worth knowing that not every free option behaves like this, and the best VPN services are tested precisely so you do not have to take this kind of gamble. But this case shows how thin the line can be between a useful free extension and a data-harvesting one.

What Socket's research uncovered

VPN Go in Chrome Web Store

(Image credit: Chrome)

Socket says the earliest analyzed builds behaved like ordinary proxy extensions, with no confirmed clipboard theft.

On Chrome, that changed with version 1.1, when the extension added a script that reads the clipboard and ships those chunks off to a hardcoded address. The Firefox version followed the same path slightly later, moving the same theft loop into its background script.

Once active, the monitoring is relentless. The Chrome content script checks the clipboard roughly every half a second, according to Socket's analysis, while the Firefox build polls every 1.5 seconds.

Each newly copied value is tagged with a session identifier so it can be reassembled on the other end, then sent out over plain HTTP. All of this was happening while the two apps' privacy policies stated that the tools did not collect, store, or share user data and did not keep activity logs.

TechRadar has reached out to VPN Go for comment, but both email addresses bounced, and both extensions have since been pulled from their stores.

Why clipboard stealers are dangerous for users

The reason clipboard theft is so effective is that it abuses something completely routine. People copy and paste sensitive information all day, and it's not careless to do so. Password managers rely on exactly that: copying long, unique passwords into your accounts.

An extension that can silently read the clipboard has access to all of this information; it just has to wait for you to copy the right thing. If you have used either of the two extensions in question, you should treat any information you've copied during that time as exposed.

Researchers have repeatedly found free VPN extensions doing things their users never agreed to. Recent reporting has covered a free Chrome VPN extension caught taking screenshots of every page its users visited, and a malicious free VPN extension that resurfaced after being removed, returning in a more evasive form.

The pattern is consistent enough that it is worth treating any unknown free VPN extension with caution by default. That caution matters: TechRadar's own polling found that nearly 1 in 4 readers use free VPNs despite knowing the risks.

How to stay safe

If you want the protection a VPN offers without rolling the dice, stick to providers with a track record and independent testing behind them.

A reputable paid service, or one of the carefully vetted best free VPN options, is a far safer bet than an unknown extension promising unlimited access for nothing. As the saying goes, when the product is free, there is a decent chance that you are the product.

This new tool can let you ask Claude if that 'too good to be true' online offer is actually a scam

  • Norton's scam detection tools are now available in Claude and ChatGPT
  • Users can ask their preferred AI chatbot about the legitimacy of an email, text, website
  • Most threats consumers face now come from scams, phishing and fake ads

Claude is the latest AI assistant to get access to Norton's Genie scam detection tool following its available for ChatGPT customers earlier this year.

Available across all Claude subscription tiers, Genie gives users access to scam detection capabilities and other cyber safety tips and advice.

Norton says its tool can analyze suspicious emails, texts, messages, images and links using its "multi-layered" detection intelligence.

Norton scam detection now available in Claude, ChatGPT

"AI assistants are becoming part of how people make decisions and evaluate information online," Head of Products and Portfolios Travis Witteveen noted, hinting that the increased prevalence of AI assistants.

"By bringing Norton Genie into even more AI platforms like Claude and ChatGPT, we’re making trusted Cyber Safety intelligence available directly in those moments to help people make more confident decisions in real time."

The company explained that Genie looks for language patterns, social engineering tactics, urgency cues, impersonation attempts, and requests for sensitive information. It also checks URLs and analyzes domains to confirm whether a user should click on the link.

When the tool launched for ChatGPT in March 2026, Norton described it as the "world's first AI-powered scam detector." Users can start conversations by tagging @Norton and asking questions like whether an email looks legit or if an online offer looks like a scam.

The company's own reporting reveals that nine in 10 threats targeting people in 2025 came from scams, phishing and fake advertisements.

So far, Norton looks to be the only security company offering direct AI chatbot integration to provide accurate insights into threat detection.

Google logo on a black background next to text reading 'Click to follow TechRadar'

US Secret Service personnel are putting the lives of America’s VIPs at risk by refusing to use government-issued phones — but they might not be up to the job in the first place

  • US Secret Service personnel are using personal devices while conducting official business
  • Personal devices are not secured against the threats faced by Secret Service members
  • But government-issued devices aren't equipped for the needs of Secret Service members either

The Department of Homeland Security inspector general has released a new report which claims the US Secret Service is refusing to use government-furnished equipment (GFE), such as smartphones, because they are not suitable for mission operations.

The report states GFE fails to “ensure real-time, continuous protection from cyberattacks by foreign adversaries or individuals” with the equipment found to contain multiple third-party apps with security vulnerabilities that could expose communications.

In order to be able to perform effectively, Secret Service members are using personal devices to communicate with law enforcement and each other during missions, but many personal devices are not secured against the threats faced during the protection of America’s VIPs.

US government struggles to secure issued phones

But using personal devices in professional operations is also highly unsecure. These devices often contain the whereabouts of Secret Service personnel and the targets they are protecting during missions at home and abroad.

Furthermore, the devices only have the consumer level of cyber protections. As they are not managed or operated by the US government, there is very little protection against commercially available spyware or malware.

In some cases, personnel used their personal devices as a hotspot for their GFE, or used their personal devices to access websites otherwise blocked on their GFE.

The report explains: “If a personal device is jailbroken, infected with malicious code, or not up to date on security software, an adversary could intercept device communication. Outdated and vulnerable apps could enable malicious actors to conduct surveillance, track locations, or record employees’ communications. Connecting to unsecured networks may also allow cybercriminals to access data or install malware.”

The main culprit behind Secret Service personnel choosing not to use GFEs was found to be the Secret Service’s Office of the Chief Information Officer (OCIO). According to the report, “GFE mobile devices lacked mission-critical capabilities because Secret Service OCIO’s process for assessing and approving requests did not always correctly identify operational needs.”

Additionally, the expected protocol for most Secret Service members was to use personal devices, so many avoided navigating the bureaucracy of requesting access to communications apps on their GFE, which in return created a blindspot for the OCIO who were not aware these apps were already being used at such a scale.

The report further found that no Secret Service GFE was equipped with Mobile Threat Defense software until August 2025, leaving them exposed to “malicious software,

cyberattacks, and other vulnerabilities.” Critical data was also retained on GFE devices after operatives returned from missions abroad, despite policy stating that devices should be wiped within 24 hours of returning to the US.

Ultimately, the report makes five key recommendations to the Secret Service in order to improve the security of its operators:

  • Introduce a formal policy that ensures all GFE are issued with the required capabilities and software for each mission
  • Ensure all employees complete the required cybersecurity training
  • Ensure the Secret Service OCIO clearly communicates its guidance that personal devices are forbidden from use during official business
  • Ensure controls are implemented to wipe devices in line with OCIO policy for returning personnel
  • Subject all GFE mobile app code to an updated vulnerability testing policy

Before yesterdayTech

Microsoft takes down over 100 malicious Edge extensions hiding malware in images and fonts

  • 119 malicious Edge extensions flew under the radar
  • They installed harmful code days after extension installation
  • It's proof that static code review is no longer sufficient

Microsoft says it has taken down 119 malicious extensions from the Edge Add-ons store after "proactive threat hunting" revealed a campaign that's been dubbed StegoAd.

As part of the program, the company also had to suspend more than 90 developer accounts associated with the dodgy activity.

Believed to have been active since at least 2021, it's believed that the malicious browser extensions had been downloaded a total of 2.6 million times.

Microsoft removes 119 'StegoAd' malicious extensions

The campaign was so broad that the extensions didn't just occupy one category: ad blockers, VPNs, video downloaders, translators and utility tools like PDF exporters were all ploys for the malicious extensions.

This particular campaign got its name from the type of tactic used – steganography is the name given to hiding malicious code inside seemingly harmless files. PNG images, SVG graphics and font files had hidden JavaScript embedded inside to bypass traditional antivirus tools and web filtering.

Once installed, Microsoft says they remained dormant for three to five days to avoid detection before going on to steal browser credentials, redirect users to malicious websites, manipulate affiliate links for financial gain, download additional malicious code and even communicate with C2 servers for updated instructions.

"The StegoAd campaign demonstrates that browser extensions remain a potent and evolving attack surface," Microsoft wrote, admitting that even its own safeguards had missed these dodgy extensions.

The report also concludes that static code review alone is no longer sufficient, because extensions and other installations can download malicious code long after they were first installed.

For developers themselves, Microsoft recommends being as clear as possible by not obscuring code, requesting only the necessary permissions to build trust, and report any suspected impersonation.

Google logo on a black background next to text reading 'Click to follow TechRadar'

Nearly 400 illegal World Cup 2026 streaming sites taken offline by US DOJ

  • US DOJ has seized nearly 400 domains
  • The sites were being used to illegally stream World Cup games
  • Users of the sites were exposed to malware, data theft, and other threats

Almost 400 domains have been seized as part of Operation Offsides - a coordinated global effort to take down sites illegally streaming the FIFA World Cup 2026.

The sites were seized by the US Justice Department's Criminal Division for violating copyright and intellectual property law.

The takedowns were coordinated by members of the International Computer Hacking and Intellectual Property (ICHIP) network.

US and friends enforce the offside rule

Many of the seized domains now display a banner explaining that the website was seized as part of Operation Offsides. “This action was taken to protect consumers and enforce intellectual property rights worldwide,” the banner states.

A screenshot of the banner uploaded to domains seized by the US DOJ that were illegal streaming 2026 FIFA World Cup games.

(Image credit: U.S. Justice Department)

Back in May 2026, the FBI warned that thousands of domains were being registered ahead of the World Cup, with most set up with the intention to scam fans looking for cheap tickets, access to streaming services, and those looking for discounted merchandise. It appears that Operation Offside was focused on disrupting streaming sites in particular, rather than taking down the wider scam networks associated with these domains.

“We have seized hundreds of domains, used to illegally stream World Cup matches for profit, to disrupt the international networks that profit from the global popularity of the World Cup,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division.

“This operation illustrates the Department’s respect for intellectual property rights and the responsibility of the United States as a host nation to protect the FIFA World Cup from criminals. The Criminal Division will continue to disrupt and, where appropriate, seek to prosecute these sites and the subjects responsible for this criminal activity.”

In many cases, the networks of fake domains offering cheap or free access to streaming services are run by cybercriminals deliberately operating at a loss in order to attract users to their services. In return for accessing the streaming site, the domain will use the user’s local network as an exit node for the cybercriminal network, obscuring their traffic and making it appear legitimate.

Unfortunately for the user, who may think they have just found free access to every World Cup game, their network and IP address could be used to distribute malware, cybercriminal communications, and illegal content such as stolen data and exploitative materials - including child sex abuse material.

FBI warns of Russian Intelligence phishing campaign abusing Signal support services to target VIPs and high-value government and military targets — this is how to secure your account

  • Russian Intelligence are targeting Signal accounts of officials based in Ukraine
  • They pose as Signal support services and ask users to submit their Backup Recovery Keys
  • Using these keys, the hackers can hijack the users account and any other accounts created using the same mobile phone number

The FBI has warned Russian Intelligence Services are posing as commercial messaging application support services in order to steal Backup Recovery Keys belonging to targets of high value in the military and government of the US, Europe, and Ukraine.

In a joint warning alongside the CISA and the Security Service of Ukraine (SSU), the FBI outlined the new phishing campaign which seeks to access messaging accounts in order to perform intelligence gathering of secret information.

Specifically, the FBI provided sample phishing lures targeting users of the Signal messaging app. If the hackers successfully lure a victim into sharing their Backup Recovery Key, they can access the account's message history, private and group messages, and fully take over the victim's account.

Russian Intelligence pose as Signal support services

In the FBI warning, the phishing techniques are further detailed. The Russian Federal Security Service (FSB) are targeting government officials, military personnel, political figures, journalists, and key officials from the US and Europe located in Ukraine.

The attackers send emails that appear to be automated messages from Signal, asking users to turn on their message backup using their Backup Recovery Key. Victims are provided with false instructions that instead send the Backup Recovery Key to the attacker, who can then use the key to take over the victim’s account.

Example phishing messages used by Russian Intelligence, supplied by the FBI

Example phishing messages used by Russian Intelligence to obtain Backup Recovery Keys (Image credit: FBI)

In order to establish urgency and trust that the message is legitimate, the attackers posed the phishing message as a protection against recent hacking attempts from “Iran and post-Soviet countries.” In another sample message, the attacker's message says that the victim’s account data “is at risk of permanent loss due to a sync issue.”

If a victim shares their unique Backup Recovery Key, it allows the attacker to hijack their current Signal account alongside any subsequent accounts made with the same phone number.

For users who may fear their Backup Recovery Key has been compromised, users are instructed to use Signal settings to create a new Backup Recovery Key. This new key will invalidate all previous Backup Recovery Keys and prevent account takeover if the previous key was leaked.

In order to avoid falling victim to phishing messages, there are several ways to stay safe:

  • Support services will generally only communicate with users via an official company email address. Always carefully check communications from the legitimate email address.
  • Customer support will never request that you supply your Backup Recovery Key via the application
  • You will never be asked to verify or restore your account via an automated customer support message

In order to further protect your Signal account, or other accounts, against phishing, users should consider the following:

  • Use a passkey wherever possible. This will use your device’s built in biometric verification methods to authenticate your login.
  • Use phishing resistant multi-factor authentication where possible
  • Always double check messages and emails are legitimate, and are using an official company email
  • Never supply your Backup Recovery Keys unless you are actively attempting to regain access to your account via a legitimate service

Over 14 million login credentials leaked from six ISPs in major data breach — here’s what we know

  • Tens of millions of credentials may have been leaked following an attack on one of Japan's largest ISPs
  • The attack leveraged a vulnerability in a third-party software used by KDDI
  • Five other ISPs were also affected in the attack

A data breach that has potentially exposed the email and password combinations for over 14 million customers across six internet service providers (ISPs) has been disclosed by Japanese telecoms provider KDDI Corporation.

According to the company, hackers exploited a vulnerability in a third-party software to access the database of credentials. KDDI said that it immediately blocked the hackers' access after discovering the intrusion on June 17, 2026.

“Although technical defensive measures have already been implemented for the system, there remains a possibility that customers' email addresses and passwords were obtained by unauthorized third parties as a result of the incident,” the company said in a statement.

Millions of credentials exposed

Unfortunately, the breach was not confined to just KDDI. The email services of five other ISPs were also affected by the breach:

  • STNet, Inc.
  • JCOM Co., Ltd.
  • Chubu Telecommunications C., Inc.
  • NIFTY Corporation
  • BIGLOBE Inc.

KDDI is yet to finish a formal investigation into the attack, but said that the hacker may have gained access to the emails addresses and passwords for 14.22 million current and former customers. The company also said that some of the passwords were stored in an encrypted format, and so will be inaccessible for the hackers, but the company did not say how many were stored in this manner.

Since discovering the breach, KDDI has also been working alongside the affected ISPs to secure systems and put in place mitigation measures to counter the abuse of exposed account credentials.

In order to stay protected, customers have been advised to change their account passwords and implement two-factor authentication.

Breaches such as these are particularly dangerous because they expose email and password combinations. As most people will have either one or two email addresses across their accounts, it increases the likelihood that hackers can attempt to use the exposed email and password combinations to try and access other accounts created with the same email.

This is especially true if the same password (or a variant thereof) is used across multiple accounts. Hackers can use brute force techniques to try hundreds of password combinations in a very short amount of time in order to crack weak or reused passwords.

When creating or updating a password for any account, no matter how infrequently it is used, always create a strong unique password. Password managers can create and suggest strong passwords, securely store them, and automatically fill login forms to take the hassle out of remembering passwords.

Alternatively, some services offer the ability to login using a passkey, which utilizes the built-in biometric authentication mechanisms of your device such as a facial scan or fingerprint. These login methods not only remove the need to type in passwords, but also reduce the possibility of hackers accessing your account through phishing attacks.

Via BleepingComputer

❌
❌