Norton seems to identify this (scan.aitd.one) as a dangerous web page, but it’s VERY annoying that I can’t get rid of this message pop-up! My only ‘option’ is to “Report False Detection”, and I’ve tried that too, but it’s been over a week, and the message still pops up!
This may very well be a valid warning, but why can’t Norton either quietly block it, or honor the request to move it to a False Detection and thus not warn me EVERY TIME?
ps. I did run a complete scan of my PC, and after 2 days (network and USB drives take a lot of time to scan) it reported a couple minor things, but again, the message keeps popping up!
Hello @steve76063
Did you submit False Positive report here with an Alert ID?
Do you agree or disagree with Norton 360 Safe Web?
Do you want to add an Exclusion if you disagree with Norton?
========================================
Did you clear browser cookies n’ cache?
Do you run browser sync?
Did you recently install program / browser extension?
AI Overview
Based on cybersecurity research, scan.aitd.one is a malicious subdomain used by the spyware hidden within the legitimate-looking FreeVPN.One Chrome extension. The extension, which was once a legitimate tool, began secretly capturing screenshots and sensitive data from its more than 100,000 users after an update in 2025.
What it does
Malicious data exfiltration: The spyware in the FreeVPN.One extension was found to be continuously capturing screenshots of users’ browsing activity and transmitting them to a remote server.
Obfuscation of activity: The developers of the spyware switched to using the scan.aitd.one subdomain to help obscure their malicious tracks.
Cloaked as a feature: The extension included a fake “Scan with AI Threat Detection” feature that would upload full-page screenshots to a different aitd.one address. However, this was a smokescreen for the continuous and hidden background surveillance.
How to protect yourself
Remove the FreeVPN.One extension: If you have this extension installed in your Chrome browser, remove it immediately.
Use caution with browser extensions: Only install extensions from reputable developers and read reviews carefully. Check the requested permissions, as malicious extensions often request unnecessary access to all website data.
Monitor for suspicious network traffic: Pay attention to any unusual network activity or outgoing data transmissions.
403 Forbidden
This error code may mean the site was disabled by its hosting provider because of malware problems. The site also may be under maintenance at the moment and you should try scanning it later. Another possible reason is some parts of the website have restricted access and our scanner could not scan them.
scan.aitd.one resolves to IP address 104.21.60.72
This IP address has been reported a total of 4 times from 3 distinct sources. 104.21.60.72 was first reported on May 4th 2022, and the most recent report was 4 months ago.
Old Reports: The most recent abuse report for this IP address is from 4 months ago. It is possible that this IP is no longer involved in abusive activities.
Thanks for all the info…I did see that an ‘update’ to FreeVPN brought that URL into Chrome…I don’t use FreeVPN much if at all any more, so I’ve removed it from Chrome - we’ll see if that ‘fixes’ my issue.
I’ll read through the responses some more to try and figure out how it was found, and how I might turn up that information if/when it happens again!
