"VPNs are expensive, I'll just use a free one" — that decision might be handing your data to advertisers, data brokers, or criminals.
Some free VPNs monetize by selling user data, reselling bandwidth, or bundling malware. This article examines the risks with real incidents and numbers, then shows you how to choose safely. If you're not sure what a VPN actually does, start with What Is a VPN? first.
The Reality of Free VPNs
The numbers paint a clear picture.
Top10VPN 2024 Study
Security research firm Top10VPN investigated the top 100 free VPN apps on Google Play (2.5 billion cumulative installs):
- 88% leaked data (IPv4, IPv6, DNS, or WebRTC)
- 71% shared user data with third parties
- 10% had encryption failures
The majority of popular free VPNs on Google Play fail at the basic job of a VPN.
CSIRO Academic Study (2016)
Australia's Commonwealth Scientific and Industrial Research Organisation (CSIRO) conducted a peer-reviewed study of 283 Android VPN apps:
- 38% contained malware (adware 43%, trojans 29%, malvertising 17%)
- 18% used tunneling with no encryption
- 84% had IPv6 leaks; 66% had DNS leaks
- 75% used third-party tracking libraries
- 82% requested access to sensitive data (contacts, SMS)
This study is from 2016, but Top10VPN's 2024 findings show the situation has barely improved.
Real Incidents
Not hypothetical risks — documented events.
911 S5 Botnet (2024 — Largest in FBI History)
In May 2024, the FBI dismantled what the Department of Justice called "likely the world's largest botnet ever."
- Scale: 19 million unique IP addresses across 190+ countries
- Method: Six fake free VPN apps distributed on Google Play (MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, ShineVPN)
- Losses: Operators earned ~$99M. Victim losses estimated at "several billion dollars"
- Criminal uses: Financial fraud, identity theft, child exploitation, bomb threats, cyberattacks
- Arrest: YunHe Wang, a 35-year-old Chinese national, arrested in Singapore
Users installed a "free VPN" and their devices became part of a criminal infrastructure — without their knowledge. If you're curious whether your own data has already been exposed, check our guide on how to check if your personal data is on the dark web.
SuperVPN Data Breach (2023)
SuperVPN, downloaded over 100 million times on Google Play, leaked 360,308,817 records.
- Exposed data: Email addresses, real IP addresses, VPN servers used, websites visited, device info, geolocation
- Contradiction: SuperVPN advertised a "no-logs policy" — the leaked data proved that was false
- History: Similar breaches occurred in 2016 and 2020
A "no-logs" claim without independent verification is just marketing.
UFO VPN + 6 Services Breach (2020)
Seven free VPN services — UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN — leaked data from 20 million users simultaneously.
- Cause: All seven shared the same backend infrastructure (Hong Kong-based white-label operation)
- Exposed data: Passwords in plain text, VPN session tokens, user IPs, connection timestamps, ad injection domains
- Contradiction: All seven services claimed a "strict no-logs policy"
Different brands, same company behind the scenes — a common pattern in free VPNs.
Hola VPN Bandwidth Selling (2015)
Hola, a free VPN with 50 million users, sold users' bandwidth through its sister company Luminati at $20/GB.
- Discovery: Exposed when Hola/Luminati infrastructure was used to launch DDoS attacks against 8chan
- Response: Hola's founder admitted the practice, saying it was in the terms of service
- Aftermath: Luminati rebranded to Bright Data in 2021. Valued at ~$200M when a majority stake was sold in 2017
Users' devices were turned into DDoS attack nodes without their knowledge.
How Free VPNs Make Money
Every free service has a business model. For VPNs, there are four main ones.
1. Selling Data
User browsing history, source IPs, and location data are sold to data brokers and ad networks. Top10VPN found that 71% of free VPNs share data with third parties.
2. Ad Injection
JavaScript is injected into the browser to display ads. The CSIRO study specifically named Hotspot Shield. The UFO VPN breach data also contained ad injection domains.
3. Bandwidth Resale
Users' internet connections are sold as commercial proxy services. Hola VPN/Luminati is the most famous example. The 911 S5 botnet in 2024 used the same approach.
4. Malware Distribution
The VPN app itself contains malware. In 2024, 18+ infected VPN apps were removed from Google Play, and detections surged 2.5x in Q3.
Technical Problems
Beyond business model issues, free VPNs have systemic technical flaws.
Weak or Missing Encryption
Paid VPNs use AES-256-GCM or ChaCha20 as standard. Some free VPNs use no encryption at all, or rely on PPTP — a protocol that has been broken for over a decade.
No Kill Switch
When a VPN connection drops, your real IP address is exposed. Paid VPNs block all traffic until the connection is restored. Most free VPNs lack this feature entirely. For more on why your IP matters, see how to hide your IP address.
DNS and IPv6 Leaks
DNS queries and IPv6 traffic escape the VPN tunnel. Top10VPN's study found leaks in 88% of free VPN apps tested.
No Independent Audits
Top paid VPN providers undergo regular independent audits. Almost no free VPN has ever been independently audited. There is no way to verify their "no-logs" claims.
Among paid VPNs, NordVPN offers Kill Switch, DNS leak protection, and an independently audited no-logs policy for a few dollars a month. It comes with a 30-day money-back guarantee.
Are There Trustworthy Free VPNs
Not all free VPNs are dangerous. Free tiers offered by reputable paid VPN providers are relatively safe.
ProtonVPN Free
- Data cap: None (the only free VPN with unlimited data)
- Servers: 10 countries
- Simultaneous connections: 1 device
- Encryption: Same AES-256/ChaCha20 as the paid plan
- Audit: Independent audit by Securitum (2023)
- Company: Proton AG, Switzerland. Founded by CERN scientists. No ads
- Limitations: No P2P, no streaming optimization, slower speeds during peak hours
Windscribe Free
- Data cap: 10 GB/month (with email registration)
- Servers: 10 countries
- Simultaneous connections: Unlimited
- Features: R.O.B.E.R.T. (ad/tracker blocker), Split Tunneling, firewall
- Limitations: 10 GB is insufficient for video streaming
Why These Two Are Trustworthy
Both ProtonVPN and Windscribe have a business model based on paid plan upgrades. They do not need to sell data or inject ads to generate revenue. This is the fundamental difference from other free VPNs.
Free vs Paid VPN Compared
A feature comparison between a typical free VPN and NordVPN.
| Feature | Typical Free VPN | NordVPN |
|---|---|---|
| Price | Free | From $2.99/mo (2-year plan) |
| No-logs audit | None (self-claimed only) | 6 independent no-logs audits (PwC, Deloitte) |
| Servers | Tens to hundreds | 7,400+ across 118+ countries |
| Encryption | AES-128 or lower, sometimes none | AES-256-GCM / ChaCha20 |
| Protocol | Outdated (PPTP, etc.) | NordLynx / OpenVPN / IKEv2 |
| RAM-only servers | No | All servers |
| Kill Switch | No | Yes (Internet + App) |
| Split Tunneling | No | Yes (Windows / Android) |
| Malware protection | No | Threat Protection Pro |
| Data cap | 500 MB–10 GB/month | None |
| Simultaneous connections | 1 | 10 |
| Business model | Data selling / ads / bandwidth resale | Subscription fees |
| Jurisdiction | Unclear or high-risk (Hong Kong, etc.) | Panama (outside Five Eyes) |
At $2.99/month, a paid VPN costs less than a cup of coffee — and the price of a free VPN is your data.
The world's leading VPN — fast, secure, and easy to use
- 6,400+ servers across 111 countries
- NordLynx protocol (WireGuard-based)
- Threat Protection Pro (ads & malware blocking)
Frequently Asked Questions
Are free VPNs safe for online banking?
No. Most free VPNs have encryption flaws, DNS leaks, or no kill switch — all of which can expose your banking credentials. The Top10VPN study found that 88% of free VPNs leak data. For banking, use a paid VPN with AES-256 encryption and an audited no-logs policy.
Can a free VPN steal my passwords?
Yes. Free VPN apps with malware (38% according to the CSIRO study) can log keystrokes or intercept unencrypted traffic. The SuperVPN breach in 2023 exposed passwords alongside browsing data — from an app that claimed to protect privacy.
Why are free VPNs free?
Free VPNs monetize through four methods: selling user data to brokers (71% of free VPNs do this), injecting ads into your browser, reselling your bandwidth as a commercial proxy, or bundling malware. The exception is free tiers from paid providers like ProtonVPN, which use free plans to convert users to paid subscriptions.
Is ProtonVPN Free actually safe?
Yes. ProtonVPN Free uses the same AES-256/ChaCha20 encryption as its paid plan, has passed multiple independent Securitum audits, and is based in Switzerland. Unlike standalone free VPNs, ProtonVPN's business model is paid plan upgrades — not data monetization.
What's the difference between a free VPN and a free tier from a paid VPN?
A standalone free VPN needs to monetize your data because it has no other revenue source. A free tier from a paid provider (ProtonVPN, Windscribe) serves as a funnel to paid plans — the company already has subscription revenue, so it doesn't need to sell your data.
Can free VPNs give you malware?
Yes. The CSIRO study found malware in 38% of Android VPN apps tested. In 2024, 18+ infected VPN apps were removed from Google Play. The 911 S5 botnet recruited 19 million devices through six fake free VPN apps.
Do free VPNs actually hide my IP address?
Most don't. Top10VPN found that 88% of free VPNs tested had IPv4, IPv6, DNS, or WebRTC leaks — meaning your real IP address was exposed despite the VPN connection. For reliable IP protection, see our guide to hiding your IP address.
Wrapping Up
A summary of free VPN risks:
- 88% leak data, 71% share data with third parties (Top10VPN 2024 study)
- The largest botnet in FBI history was built using free VPN apps (911 S5, 2024)
- 360 million records leaked from a "no-logs" free VPN (SuperVPN, 2023)
- Free VPNs monetize through data selling, ad injection, bandwidth resale, and malware distribution
- The only trustworthy free VPNs are ProtonVPN Free and Windscribe Free (funded by paid plan upgrades)
The cost of "free" is your data. If you only need occasional protection with acceptable limits, ProtonVPN Free is the most trustworthy free option. But if you need unlimited speed, servers in 100+ countries, and built-in malware protection, a paid VPN is the practical choice — check the comparison table above for what that looks like in practice.
Related articles:
- What Is a VPN? A Simple Guide for Beginners
- Public WiFi Safety: How to Protect Yourself
- NordVPN Review: Pricing, Security, and Performance Tested
- NordVPN vs ExpressVPN vs Surfshark: An Honest Comparison
- VPN Protocols Compared: WireGuard vs OpenVPN vs IKEv2 Under the Hood
References:
- Top10VPN — Free VPN App Investigation (2024) — comprehensive free VPN app study
- CSIRO — An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps (2016) — peer-reviewed academic study
- US DOJ — 911 S5 Botnet Dismantled (2024) — FBI press release