How Free VPNs Make Money From You
If you're not paying for the product, you are the product. Here's exactly how.
📊 By The Numbers
Source: CSIRO study of 283 Android VPN apps
Running a VPN costs real money. Servers, bandwidth, development, and support aren't free. When a VPN claims to offer unlimited service at no cost, that money has to come from somewhere.
The uncomfortable truth: most free VPNs monetize your data. They collect your browsing history, inject ads, sell bandwidth, or worse. The very privacy tool you downloaded is actively undermining your privacy.
This isn't speculation — it's documented through academic research, security audits, and regulatory actions. Here's exactly how free VPNs turn users into revenue.
Method 1: Selling Your Data
The most common monetization: collecting and selling your browsing data to advertisers and data brokers.
What They Collect
- • Browsing history — Every website you visit
- • Search queries — What you search for
- • Connection timestamps — When and how long
- • Device information — OS, browser, device ID
- • IP addresses — Both real and assigned
- • Location data — Often GPS when permissions granted
- • Bandwidth usage — How much data you transfer
Case Study: Hola VPN
Hola VPN gained millions of users with its free browser extension. What users didn't realize: Hola sold their bandwidth through a sister company called Luminati (now Bright Data).
When you used Hola, your internet connection became an exit node for Luminati's commercial proxy network. Paying customers could route traffic through your connection — meaning illegal activity could be traced back to your IP address.
2015 incident: Hola users' bandwidth was used in a DDoS attack against 8chan. Users unknowingly participated in the attack simply by having Hola installed.
Case Study: Onavo (Facebook)
Facebook's "Onavo Protect" VPN promised to protect user privacy while doing the exact opposite. The app collected detailed data about which apps users opened, how often, and for how long.
Facebook used this data to identify competitive threats. When Onavo revealed WhatsApp's explosive growth, Facebook acquired the company for $19 billion. Onavo was essentially corporate espionage disguised as a privacy tool.
Apple removed Onavo from the App Store in 2018 for violating data collection guidelines. The app had been downloaded over 33 million times.
Method 2: Ad Injection
Some free VPNs modify your web traffic to insert advertisements that weren't there originally.
How Ad Injection Works
You request a webpage through the VPN
The VPN intercepts the page before delivering it to you
Additional JavaScript or HTML is inserted into the page
You see ads that the website owner never placed
The VPN provider collects the ad revenue
This isn't theoretical — security researchers have documented this behavior in dozens of free VPN apps. The injected code can include:
- Banner advertisements
- Pop-ups and pop-unders
- Affiliate link hijacking (replacing existing affiliate codes with theirs)
- Tracking pixels for cross-site surveillance
Security Risk
Ad injection requires breaking HTTPS encryption. This creates vulnerabilities that actual attackers can exploit. A free VPN that injects ads is actively making your connection less secure.
Method 3: Bundled Malware
The most alarming finding: many free VPNs contain actual malware. A comprehensive study by CSIRO found that 38% of free Android VPNs contained malware signatures.
Types of Malware Found
- • Adware — Aggressive advertising that persists even with VPN off
- • Trojans — Hidden programs that collect data or enable remote access
- • Riskware — Apps that perform unwanted functions
- • Cryptominers — Software that mines cryptocurrency using your device
- • Spyware — Programs specifically designed for surveillance
The 10 Worst Offenders (Android)
Research identified these free VPNs as containing the most malware indicators. Avoid them entirely:
- 1. OkVPN
- 2. EasyVPN
- 3. SuperVPN
- 4. Betternet
- 5. CrossVPN
- 6. Archie VPN
- 7. HatVPN
- 8. sFly Network Booster
- 9. One Click VPN
- 10. Fast Secure Payment
Note: App names and availability change frequently. A new app appearing under the same name may or may not be the same software. Assume all unknown free VPNs are suspect.
Method 4: Selling Your Bandwidth
Like Hola, some free VPNs turn your device into an exit node in a commercial proxy network. Paying customers route their traffic through your internet connection.
Why This Is Dangerous
Legal liability
Illegal activity routed through your connection traces back to your IP address
Bandwidth theft
Your internet speed decreases as others use your connection
ISP violations
Running a proxy may violate your ISP's terms of service
Data caps
Others' traffic counts against your data allowance
Commercial proxy networks like Bright Data (formerly Luminati) charge enterprise clients for access to millions of residential IP addresses. Those addresses come from users who installed "free" apps without reading the terms of service.
The Exception: Legitimate Freemium VPNs
Not all free VPNs are scams. Some reputable providers offer limited free tiers to attract users to paid plans. The key difference: transparent business models and privacy-respecting practices.
✓ ProtonVPN Free
- • Funded by paid subscribers
- • Same privacy policy as paid
- • No ads, no logging, no data sales
- • Limited to 3 countries, slower speeds
✓ Windscribe Free
- • 10GB/month free tier
- • Same privacy as paid tier
- • Clear upgrade path
- • Transparent about limitations
How to Identify Safe Free VPNs
- • Backed by paid subscriptions (clear business model)
- • Same privacy policy for free and paid tiers
- • Open-source apps that can be audited
- • Established company with public presence
- • Clear limitations (speed/servers/data) instead of "unlimited"
Red Flags to Watch For
🚩 "Unlimited everything for free"
Running VPN infrastructure costs money. "Unlimited" and "free" together means you're paying another way.
🚩 Excessive permissions
A VPN needs network access. It doesn't need access to your contacts, camera, phone calls, or location when the app isn't running.
🚩 No clear business model
If you can't figure out how they make money, you're probably the product. Legitimate services explain their model.
🚩 Unknown developer
No company website, no team listed, registered in jurisdictions with no privacy laws. If you can't verify who made it, don't install it.
🚩 Suspicious reviews
Thousands of 5-star reviews with generic text, all posted around the same time. Review manipulation is common in the free VPN space.
Better Alternatives
Option 1: Paid VPN (Best Value)
Quality VPNs cost less than coffee. Surfshark runs $2.19/month with unlimited devices — that's one subscription for your entire household.
Option 2: ProtonVPN Free (Legitimate Free)
If you genuinely can't pay, ProtonVPN's free tier is the safest option. Limited servers and speeds, but the same privacy as paying customers. No ads, no data sales.
Option 3: No VPN (Honest About Trade-offs)
If your choice is between a sketchy free VPN and no VPN, choose no VPN. At least your ISP is known and regulated. A malicious VPN is actively worse than no VPN.
Affordable VPNs That Don't Exploit You
Surfshark
$2.19/mo — Unlimited devices
Cover your entire household with one account. No data caps, no logging, independently audited.
Visit Surfshark →NordVPN
$3.39/mo — Best overall
Fastest speeds, best streaming access. Multiple independent audits confirm no-logs policy.
Visit NordVPN →The Bottom Line
Free VPNs aren't free — you pay with your data, your security, and sometimes your legal liability. The VPN you installed to protect your privacy is often the biggest threat to it.
The math is simple: running a VPN costs money. If a provider isn't charging you, they're monetizing you. Data sales, ad injection, and bandwidth theft are the price of "free."
A quality paid VPN costs less than a streaming subscription. Given what's at stake — your browsing history, your security, your privacy — it's a worthwhile investment.