Fexyn
Fexyn
All posts

Free VPNs: how they actually make money, and why that's the problem

Fexyn Team··6 min read
free vpnprivacyvpn risks

If a VPN is free with no paywall, no signup wall, no premium tier — somebody is paying for it. That somebody isn't the company providing the service for fun. The unit economics of running a VPN are not zero: bandwidth costs money, server uptime costs money, customer support costs money, security audits cost money. A free product has to recover those costs somewhere.

Here's where, with documented cases.

Selling browsing data

The most common business model. The VPN logs what users browse and sells the data to ad networks, market research firms, or anyone willing to pay. (For the inverse — what an actual no-logs policy commits to — that entry covers the precise wording to look for.)

Onavo. Facebook acquired Onavo in 2013, marketed it as a free VPN under the slogan "Keep your data safe." Onavo silently sent detailed traffic analytics back to Facebook, which used the data to identify rising competitors (most famously WhatsApp before the acquisition, and TikTok during its early growth). Apple booted Onavo from the App Store in 2018 for violating data-collection rules. Facebook eventually shut it down. The pattern wasn't unique to Onavo; it was just well-documented.

Hola VPN. Hola sold its users' bandwidth as a residential proxy network through a sister company called Luminati (now Bright Data). Luminati customers — including, at various points, scrapers, ad-fraud operators, and at least one botnet operator — paid Bright Data to route their traffic through Hola users' IP addresses. In 2015, security researchers used the Hola network to launch a DDoS against 8chan from compromised Hola IPs. Hola's response was that this was working as intended.

Betternet. A 2016 CSIRO study analysed 283 Android VPN apps and found Betternet shipped with 14 different tracking libraries, the most of any free VPN tested. The same study found that 38% of free Android VPNs contained malware or malvertising.

The pattern: when the price is zero, the customer is the product, and "the customer" means the data exhaust the VPN can collect about you.

Injecting ads

A free VPN is a network middlebox. It sees every HTTP request you make, and historically (before HTTPS became universal — see what is encryption for why HTTPS made this much harder) it could rewrite responses on the fly to inject ads.

HotSpot Shield was caught in 2017 injecting ads and redirect tracking into HTTP traffic. The Center for Democracy and Technology filed an FTC complaint. AnchorFree settled.

This is harder now that most of the web is HTTPS, but free VPN apps for mobile have a workaround: they install their own root certificate during setup, then they can inspect and modify HTTPS traffic too. Several free Android VPNs do this. Granting a root certificate to an app you don't fully trust is roughly equivalent to letting them stand between you and every site you visit, with the keys to read everything.

Selling your IP as a residential proxy

Closer to the Hola model, but more recent. The free VPN signs you up to be a node on its commercial residential-proxy product. Your bandwidth gets rented to other people, and your IP appears in scraping traffic, ad-fraud campaigns, and occasionally worse. You don't see this — your laptop just runs slightly hotter and consumes some bandwidth in the background.

Bright Data, Oxylabs, IPRoyal, and others run this business model openly. They get their residential IPs from "consumer apps that pay users for spare bandwidth" — frequently rebranded VPN apps. The end user signs an EULA that mentions this, technically.

If you're using a free VPN and you suddenly can't access certain sites because they've blocked the IP for abusive behaviour, this is why.

Botnet recruitment

The worst case. A few free VPN apps have been caught silently joining client devices to botnets that conduct credential stuffing, click fraud, or DDoS. The Hola incident above is the canonical example, but smaller cases keep appearing.

In 2024, a security researcher analysed several Android VPN apps with 10M+ downloads and found code paths that, under the right conditions, would relay third-party traffic from the device. The user has no idea their phone is briefly serving as a proxy node.

Throttling and bandwidth caps that push paid upgrades

The least harmful version of free-VPN economics. The VPN is real, the service works, but they restrict bandwidth, server choice, and feature access aggressively to push you to upgrade. Often the "free" version is throttled to the point of unusability.

This is honest by free-VPN standards. You're not the product; you're just being upsold.

How to tell

A few quick checks before installing a free VPN:

  • Does the app have ads? If yes, you know how it makes money. Ads in a privacy app are a contradiction.
  • Does it require permissions a VPN doesn't need? Camera, contacts, SMS — none of these are required to run a VPN. They're required to harvest data.
  • Does it install a root certificate? Almost certainly inspecting your HTTPS.
  • Is the company identifiable? Look up the publisher. Many free VPN apps are operated by undisclosed companies in jurisdictions that don't require company registration. That's not by accident.
  • Does it use one of the big-name commercial bandwidth-rental SDKs? Static analysis or jadx-decoded APKs reveal these. Bright Data's SDK is identifiable; so are several others.

What to do instead

Pay for the VPN. The cost is around $3-10/month for the legitimate ones. That's less than a single coffee. A VPN that's paid by you doesn't need to monetise your data, your bandwidth, or your IP.

Fexyn has a 7-day free trial — no card required up front, no auto-conversion before the trial ends. After the trial, US pricing is $9.99/month at Tier 1, dropping to $2.99/month at Tier 4 in lower-purchasing-power markets via regional pricing tiers. The math is the same as it is for everything else: paid product, no surveillance funding model.

Try Fexyn free for 7 days — the honest version of free.

Free VPNs: how they actually make money, and why that's the problem | Fexyn VPN