How using free VPNs could land you in a botnet

The masterminds behind the colossal botnet encompassing 19 million IP addresses used free VPN services as bait to lure unsuspecting users.

Hidden dangers of free VPN services

Regarding VPNs, a popular refrain these days goes something like: “Why bother paying for a VPN when there are tons of free ones out there?” But are free VPN services truly free? This post explains why thinking they are is misguided, and offers the optimal solution: one of the fastest and most secure VPN apps on the planet.

First there was: “There’s no such thing as a free lunch” — dating back to the 1930s. In this century, that old adage was updated and adapted for the digital age: “If you’re not paying for the product, you are the product”. Today this new axiom applies to many internet services — but especially to VPNs. After all, maintaining a network of servers across the globe, and handling encrypted traffic for thousands, if not millions of users comes at a significant cost. And if the user isn’t explicitly asked to pay for such services, there’s bound to be a catch somewhere. And that “somewhere” was recently vividly demonstrated by a couple of major incidents…

Freebie VPN and a botnet of 19 million IP addresses

In May 2024, the FBI, together with law enforcement partners, dismantled a botnet known as 911 S5. This malicious network spanned 19 million unique IP addresses across over 190 countries worldwide, making it possibly the largest botnet ever created.

But what does a gargantuan botnet have to do with free VPNs? Quite a lot actually, since the creators of 911 S5 used several free VPN services to build their brainchild; namely: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. Users who installed these apps had their devices transformed into proxy servers channeling someone else’s traffic.

In turn, these proxy servers were used for various illicit activities by the real clients of the botnet — cybercriminals who paid the organizers of 911 S5 for access to it. As a result, users of these free VPN services became unwitting accomplices in a whole host of crimes — cyberattacks, money laundering, mass fraud, and much more — because their devices were sucked into the botnet without their knowledge.

911 S5 botnet price list

911 S5 botnet proxy rental prices Source

The 911 S5 botnet began its nefarious operations way back in May 2014. Disturbingly, the free VPN apps it was built upon had been circulating since 2011. In 2022, law enforcers managed to take it down for a while, but it resurfaced a mere few months later under a new alias: CloudRouter.

Finally, in May 2024, the FBI succeeded in not only dismantling the botnet infrastructure but also apprehending the masterminds, on which note the 911 S5 saga will likely end. During its operation, the botnet is estimated to have earned its creators a cool $99 million. As for the losses to victims — at least, just the confirmed ones — they amount to several billion dollars.

PaladinVPN website seized by the FBI

The FBI seized the website of PaladinVPN —one of the free VPN apps used to build the 911 S5 botnet

Infected VPN apps on Google Play

While the 911 S5 case is undoubtedly one of the largest botnet, it’s far from an isolated incident. Literally a couple of months before, in March 2024, a similar scheme was uncovered involving several dozen apps published on Google Play.

Though among them there were other apps too (such as alternative keyboards and launchers), free VPNs constituted the bulk of the infected ones. Here’s the full list:

  • Lite VPN
  • Byte Blade VPN
  • BlazeStride
  • FastFly VPN
  • FastFox VPN
  • FastLine VPN
  • Oko VPN
  • Quick Flow VPN
  • Sample VPN
  • Secure Thunder
  • ShineSecure VPN
  • SpeedSurf
  • SwiftShield VPN
  • TurboTrack VPN
  • TurboTunnel VPN
  • YellowFlash VPN
  • VPN Ultra
  • Run VPN
Oko VPN and Run VPN on Google Play

Oko VPN and Run VPN before being removed from Google Play Source

There were two modes of infection. Earlier versions of the apps utilized the ProxyLib library to transform devices on which the infected apps were installed into proxy servers. More recent versions employed an SDK called LumiApps, offering developers monetization by showing hidden pages on the device, but in reality doing the exact same thing — turning devices into proxy servers.

Just like in the previous case, the organizers of this malicious campaign sold access to proxy servers installed on user devices with the infected apps to other cybercriminals.

After the report was published, the infected VPN apps were, of course, removed from Google Play. However, they continue to circulate in other places; for example, they’re sometimes published in several different incarnations under different developer names in the popular alternative app store APKPure (which was infected with a Trojan a few years ago).

Oko VPN in the unofficial APKPure app store

Oko VPN, one of the infected VPN apps booted out of Google Play, exists in multiple versions on the alternative platform

What to do if you really need a VPN

If you’re in dire need of a VPN service to protect your connection but don’t want to pay for one, consider using the free version of Kaspersky VPN Secure Connection. Free mode won’t allow you to select a server, plus there’s a traffic limit of 300 MB per day, but both your traffic and your device are fully secure.

The better option of course is to buy a subscription; after all a reliable VPN is a must-have app for absolutely everyone — and has been for some time. Premium access to Kaspersky VPN Secure Connection, available as a standalone purchase or as part of our Kaspersky Plus and Kaspersky Premium subscriptions, grants you access to one of the fastest VPNs in the world across all your devices, along with top-rated protection against phishing and other threats, as verified by independent researchers.

Best of all, you can enjoy a 30-day free trial of these subscriptions and experience the full functionality of our protection and VPN; that way, you can see for yourself how our VPN is one of the world’s speediest.

Tips