Please don’t use free VPNs. Beyond the usual risks of malware infection and keyloggers, these VPNs can also turn your computer into a residential proxy for criminal activities. In other words, you may inadvertently help cybercrimminals avoid detection.
What makes these VPNs so effective as attack vectors is how seamlessly they blend into the digital noise. Many operate through traffic distribution systems (TDSs) like Vextrio, which funnel users toward seemingly legitimate downloads. These platforms don’t just advertise VPNs – they create an entire illusion of trust, complete with sponsored search results, polished websites, and glowing reviews on platforms like Trustpilot.
Some VPNs are free, others charge modest monthly fees, but the business model is the same: install the software and you unwittingly join a network of compromised machines. These apps often double as information stealers – scraping keystrokes, intercepting browser activity, and quietly logging banking credentials.
Worse still, the infected device becomes part of a much larger infrastructure. Malicious VPNs routinely convert users’ home internet connections into residential proxies, effectively turning everyday consumers into unknowing enablers of criminal activity.
This allows attackers to route their own traffic through compromised systems, making it harder for authorities to trace or block malicious behavior. It’s like a parasite worming its way in unnoticed – users pay for access to content they’re not legally allowed to watch, while criminals profit by harvesting their data and hijacking their connections. Users think they’ve found a clever workaround, but in reality they’re simply being exploited.
These threat actors rely on rapidly generated domain aliases (RGDA) and DNS tunneling, churning through domains constantly to avoid blocklists. Naturally, they may operate a VPN service to mask this “churning” behavior as legitimate activity.
This constant domain hopping is part of a broader evasion strategy. DNS tunneling, in particular, allows attackers to disguise command-and-control traffic as benign DNS requests. It’s a method often used to sneak malware past firewalls or send data out of restricted environments without detection.
When embedded within VPN software, this technique becomes even more insidious: not only is the app encrypting the user’s traffic, but it’s also silently exfiltrating information and receiving instructions from remote servers, all under the cover of what appears to be a legitimate privacy tool. This is how VPNs, when co-opted, transform from protective wrappers into full-fledged vehicles for criminal communication.
While Proton and Mullvad won’t do this to us, I’m curious whether there has been history of established VPN providers being fronts for similar kinds of criminal activity? Trust is very important; we can’t really know the true intentions of a service unless they have been tested.