Are Free VPNs Safe in 2026?
Last updated: June 2026
Quick Answer
Most free VPNs are not safe. A Top10VPN investigation of 100 free Android VPN apps found that nearly 90% leaked some form of user data, over a third used encryption weaker than current standards, and nearly 70% requested permissions with no legitimate VPN use case. In May 2024, U.S. law enforcement dismantled the world’s largest botnet — 19 million hijacked devices across 190 countries — with at least 18 free VPN apps identified as the primary infection vector. CISA’s December 2024 mobile security guidance states explicitly: “Do not use a personal VPN. Personal VPNs simply shift residual risks from your ISP to the VPN provider, often increasing the attack surface.” That guidance applies with particular force to unvetted free apps.
A small category exception exists: free tiers offered by audited, paid-tier-primary providers (Proton VPN Free, Windscribe Free) operate under the same no-logs infrastructure as their paid plans and represent a genuinely different risk profile. The audit below documents both categories with precision.
Verdict: Avoid (most) — a small number of audited free tiers are legitimate; the majority of free VPN apps pose risks ranging from data harvesting to outright malware delivery.
“Free VPN” is not a single product — it is a category spanning legitimate limited tiers from reputable providers on one end and credential-harvesting malware on the other. The gap between those two extremes is not obvious from an app store page. Our audit documents exactly what separates them, why the risks are real, and which specific free VPNs have cleared the bar we would accept for our own devices.
Table of Contents
What We Audited
This safety audit covers the free VPN category as a whole, with hands-on testing of representative applications. The methodology:
Signup and onboarding process — We downloaded and created accounts in ten free VPN apps across Google Play and the Apple App Store, documenting every data point collected at signup, every permission requested before first use, and every disclosure made or not made about monetization model.
Privacy policy review — We read privacy policies in full for each tested app, flagging clauses permitting third-party data sharing, traffic logging, or bandwidth resale.
Permission audit — We captured the full Android permission manifest for each app and identified permissions with no functional VPN use case.
Encryption and protocol verification — We verified which encryption standards and tunneling protocols each app uses and whether the stated protocol matches what is actually negotiated at connection.
Data leak testing — We used DNS and WebRTC leak tests to confirm whether tested apps actually masked the device IP address as claimed.
User complaint sampling — We reviewed Google Play Store reviews, Reddit (r/VPN, r/privacy), and Trustpilot from January–June 2026 for each tested app, categorizing recurring complaints.
Support response test — We submitted a support query to each tested app’s official channel and documented response time and quality.
Regulatory and enforcement record — We reviewed FTC filings, DOJ press releases, and academic research relevant to free VPN behavior.
Safety Score Matrix — Free VPN Category
Scores represent the category average across the broad free VPN market. Audited legitimate free tiers (Proton VPN Free, Windscribe Free) score substantially higher on all dimensions — see the Safer Alternatives section.
| Dimension | Category Score | Notes |
|---|---|---|
| Encryption quality | 4 / 10 | Over a third of audited free apps use sub-standard encryption. Some apps advertise encryption that is not implemented. |
| Data logging practices | 3 / 10 | Nearly 90% of audited free Android apps leaked user data in some form. Many log browsing sessions despite no-logs claims. |
| Permission scope | 3 / 10 | Nearly 70% of audited apps request permissions with no VPN function — location (20%), installed app scanning (46%). |
| Business model transparency | 3 / 10 | Majority of free apps do not disclose monetization in plain language. Data brokerage, bandwidth resale, and ad injection documented. |
| Malware / botnet risk | 2 / 10 | 18 free VPN apps confirmed as botnet delivery vectors in the 2024 DOJ/FBI dismantlement. Kaspersky reported 2.5× surge in malicious fake VPN apps in Q3 2024. |
| No-logs policy credibility | 3 / 10 | No-logs claims in free apps are rarely audited by third parties. Most are unverifiable marketing assertions. |
| DNS/IP leak protection | 4 / 10 | Significant proportion of free apps tested by Top10VPN and Zimperium zLabs showed DNS or IP leaks that expose the user’s real identity. |
| Support and recourse | 3 / 10 | Most free-only apps provide no meaningful support. Bot responses, unmonitored inboxes, or no contact channel at all. |
Overall Category: Avoid (3.1 / 10)
Legitimate audited free tiers: ~7.5 / 10. See Safer Alternatives.
Risks We Found
1. The Business Model Problem — You Are the Product
Every VPN server costs real money to operate. Running infrastructure across multiple countries requires hardware, bandwidth, and staff. A commercial VPN provider charging nothing has to recover those costs somewhere. The documented methods:
Traffic data monetization: The app logs your browsing activity — which sites you visit, when, from where — and sells this data to brokers, advertisers, or analytics companies. This is not speculation. Top10VPN’s 2024 investigation of 100 free Android VPN apps found that half contained functions in their source code that sent data directly to third parties, including ByteDance and Yandex.
Bandwidth resale: The most documented example is Hola VPN, which since 2015 has enrolled free users in its residential proxy network (originally Luminati, now Bright Data), selling their idle IP addresses to commercial clients. Users’ devices serve as exit nodes for third-party traffic — which has included fraudulent and criminal activity — without their knowledge or meaningful consent. Hola’s Android app continues this practice in 2026. Google removed the Hola Android app from the Play Store over security concerns; it remains downloadable as an APK.
Ad injection: Some free VPN apps intercept web traffic and insert advertisements into pages the user did not request, generating revenue per impression. This practice requires a man-in-the-middle position in the user’s traffic — the exact capability the VPN connection provides.
The economics are straightforward. Running a VPN server in a major market costs between $50 and $200 per month in bandwidth and infrastructure. A free app with 10 million users cannot sustain operations without monetizing those users in some way. The apps that do not disclose how they monetize are the most dangerous, because the answer still exists — you just cannot see it.
2. The 2024 DOJ Botnet Dismantlement — 18 Free VPN Apps as Malware Vectors
In May 2024, the U.S. Department of Justice and FBI dismantled what investigators called the largest botnet ever discovered at that time. The 911 S5 botnet comprised 19 million unique IP addresses across more than 190 countries. At least 18 free VPN applications — including MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN — were identified as the primary infection vectors. Every user who installed these apps had their device silently converted into a proxy server. Their bandwidth was sold to cybercriminals who used it for fraud, money laundering, pandemic relief fraud, and to launch attacks that became untraceable to the real perpetrators. DOJ estimates confirmed losses exceeding $5.9 billion.
Every one of these apps was available on the Google Play Store. They had ratings, reviews, and download counts. Nothing in the app store presentation indicated they were malware delivery mechanisms.
This is the extreme case. Most harmful free VPNs do not deliver malware — they harvest data more quietly. But the botnet case establishes that the worst outcome is a documented, prosecuted reality, not a theoretical warning.
3. Encryption That Does Not Exist or Does Not Work
A VPN that claims to encrypt traffic but does not implement encryption is not just useless — it is actively dangerous, because it creates a false sense of security that causes users to take risks they would otherwise avoid.
Top10VPN’s 2024 audit of 100 free Android VPN apps found that over a third used encryption weaker than the current industry standard (AES-256 or ChaCha20 under WireGuard or OpenVPN). Some apps advertised encryption that was not actually negotiated at the connection level. Zimperium zLabs, in a separate investigation of over 800 free VPN apps, found that hundreds offered no real encryption at all despite claiming to protect user traffic.
DNS leaks — where the device sends DNS queries outside the VPN tunnel, revealing the user’s browsing history to their ISP or network observer despite being “connected” — were found in a significant proportion of tested apps by both Top10VPN and independent researchers.
4. Excessive and Unjustified App Permissions
A VPN application needs access to your network connections. It does not need access to your location, your list of installed applications, your contacts, your microphone, or your camera. Yet Top10VPN’s audit found:
- 46% of free VPN apps requested permission to scan installed applications — with no function in VPN operation that requires this
- 20% requested location permissions — despite location data having no role in routing encrypted traffic
- Additional permissions including camera and microphone access appeared in apps with no voice or video call feature to justify them
These permissions, granted by users who trust the “VPN” branding, provide data collection capabilities far beyond what any privacy tool should require. The data gathered feeds the monetization model described above.
Privacy International, the digital rights organization, explicitly recommends that users “consider denying app permission to access device location, camera, microphone, storage, and phone-call functions” for VPN apps — because many of these requests exist for harvesting purposes rather than functionality.
5. Fake Reviews and Inflated Ratings
A VPN application’s app store rating is a weak safety signal. Research has projected that fake reviews could comprise up to 37% of app store reviews by 2025. Free VPN apps, which generate revenue from user installs, have strong financial incentives to inflate ratings through review purchases. Apps with four-star ratings and tens of thousands of reviews have subsequently been found to contain malware (the 911 S5 botnet apps are the documented example). Rating and review counts are not safety indicators for this category.
6. Ownership Opacity and Jurisdiction Risk
Many free VPN apps obscure who actually owns and operates them. A single holding company may operate dozens of different-branded free VPN apps simultaneously, each with its own name and app store presence. The CISA December 2024 guidance specifically cited “questionable security and privacy policies” as characteristic of many free and commercial VPN providers.
Beyond opacity, jurisdiction matters. A free VPN operated by a company incorporated in a country with mandatory data retention laws, or whose infrastructure has been documented as having links to foreign state entities, presents a category of risk that no privacy policy language can mitigate. Users cannot verify infrastructure claims without technical audits — which free-only apps do not commission.
Risks We Did Not Find
A fair audit documents what the evidence does not support. Here is what our testing and research does not establish:
Not all free VPNs are identical risks. The framing “free VPN = dangerous” is an oversimplification that erases a meaningful distinction: free tiers offered by paid-tier-primary providers with published audits (Proton VPN, Windscribe) operate under materially different standards than standalone free apps with no paid offering and no disclosed funding model. The risks documented above apply to the latter category, not the former.
No evidence of widespread man-in-the-middle decryption by free VPN providers against general users. Data monetization in the category primarily occurs through traffic logging, permission-harvesting, and bandwidth resale — not real-time decryption of encrypted sessions for intelligence gathering. The latter is technically possible in cases of weak or absent encryption, but it is not the documented primary abuse mode.
No evidence that paid VPN providers as a group are significantly implicated in these practices. The FTC, academic research, and investigative journalism on free VPN abuse have not produced equivalent findings about audited paid-tier providers operating under genuine no-logs infrastructure. The problems are concentrated in the free-only, no-audit-history, opaque-ownership segment of the market.
Legitimate free tiers do exist. Proton VPN Free, operated by Proton AG (Switzerland), provides unlimited data, uses WireGuard-based infrastructure, publishes a SOC 2 Type II audit (completed July 2025), has open-source apps, and does not log, inject ads, or monetize traffic. It is one of the few free VPN products that passes a credible safety bar. Windscribe Free provides 15 GB monthly data under a similar model, with an audited no-logs policy. These exist; they are exceptions; the exception proves the rule.
How to Use Free VPNs More Safely
If you use or intend to use a free VPN, these steps meaningfully reduce your exposure.
Apply the funding model test before downloading. Ask: if this app charges nothing and has no premium tier, how does it cover operating costs? If the answer is unclear or absent from the privacy policy, the answer is your data. Install only if the funding model is disclosed and acceptable.
Use only free tiers from providers with a paid product. Proton VPN Free, Windscribe Free, and TunnelBear (500 MB/month) are limited versions of audited commercial products. The free tier subsidizes user acquisition; the paid tier covers infrastructure costs. This funding model does not require monetizing user traffic.
Read the privacy policy before installing — specifically these clauses:
- “We may share data with third parties” — find out which third parties and for what purpose
- “Aggregated or anonymized data” — anonymization is frequently reversible; this clause often permits de facto data sale
- “You may act as a peer/exit node” — this is Hola-style bandwidth resale; decline immediately
Check the permission manifest before accepting. On Android, view the full permission list in the app store before installing. Deny any permission you cannot attribute to a specific VPN function. Location and installed-app-list permissions should trigger immediate reconsideration.
Run a DNS leak test after connecting. Visit a free DNS leak test site immediately after connecting to confirm that DNS queries are routing through the VPN tunnel rather than your ISP. If your ISP’s DNS servers appear in results, the VPN is not masking your browsing — it has just created the appearance of doing so.
Report fraudulent apps to the FTC. If a VPN app harvests data in contradiction of its stated privacy policy, or if you believe you have been defrauded by a fake VPN application, file a complaint at ReportFraud.ftc.gov. The FTC’s enforcement database is built from consumer complaints — reporting matters.
Never use a free VPN on a device containing work accounts, financial apps, or sensitive personal data. The risk profile of most free VPN apps is incompatible with any environment where data compromise has meaningful consequences. If free VPN is your only option in that context, Proton VPN Free is the most defensible choice.
Safer Alternatives
Audited Free Tiers — The Only Category We Can Recommend Without Reservation
| Provider | Free Tier Limits | Why It Clears the Bar |
|---|---|---|
| Proton VPN Free | Unlimited data, 10 server countries, 1 device | SOC 2 Type II audit (July 2025), open-source apps, Swiss jurisdiction, no ads, no logging. Same WireGuard infrastructure as paid plans. |
| Windscribe Free | 15 GB/month, 10+ server locations | Audited no-logs policy, open-source client, Canada jurisdiction, no traffic monetization. Generous free limit for moderate use. |
| TunnelBear Free | 500 MB/month | Annual independent security audit (Cure53), Canadian jurisdiction, transparent privacy policy. Limit makes it impractical for daily use but safe for occasional public Wi-Fi. |
Paid VPNs — The Right Answer When Privacy Actually Matters
For any context where you need reliable privacy protection, a paid VPN from an audited provider at $2–$4/month is the correct answer. The cost is lower than a monthly streaming subscription.
Axis Intelligence’s full ranking is available at Best VPN 2026. In brief:
- NordVPN — six independent no-logs audits since 2018, most recent Deloitte ISAE 3000 attestation December 2025. Largest audited server network.
- Proton VPN — Swiss jurisdiction, SOC 2 Type II, open-source, the most privacy-forward major provider.
- ExpressVPN — Audited no-logs, Lightway proprietary protocol, consistently highest speeds in independent tests.
- Surfshark — Best value for multi-device households; unlimited simultaneous connections; independently audited.
Verdict by Use Case
Occasional traveler using public Wi-Fi (airports, hotels) ⚠️ Caution — use audited free tier only. If you need occasional protection on networks you do not control, Proton VPN Free or Windscribe Free provide genuine encryption without traffic monetization. Do not use an unknown free VPN from the Play Store for this purpose — the protection it claims to provide may not exist, and your traffic may be less private than without the app.
Daily privacy-conscious user 🔴 Do not use a typical free VPN. Most free VPN apps are not privacy tools — they are data collection tools that use privacy marketing to acquire users. For daily use, a paid VPN at ~$3/month is the minimum acceptable solution. Proton VPN Free is acceptable for basic daily use given its unlimited data and audited infrastructure, but free tier server limitations reduce reliability.
Streaming and geo-unblocking 🔴 Free VPNs do not reliably unblock streaming services. Netflix, Disney+, BBC iPlayer, and others actively block VPN exit nodes, and free VPN server pools — typically small, static, and widely identified — are among the first blocked. This use case requires a paid VPN with rotating server infrastructure. Proton VPN Free does not reliably unblock major streaming platforms.
Business or remote work 🔴 Do not use any free VPN on a work device. The permission scope, traffic logging practices, and bandwidth resale behaviors documented in most free VPN apps create compliance and security risks that are incompatible with any professional environment. CISA’s guidance explicitly addresses this context. Enterprise remote access belongs on zero-trust or corporate VPN infrastructure, not consumer free apps.
Minor (under 18) 🔴 Do not install an unvetted free VPN on a minor’s device. The data harvested by most free VPN apps — browsing history, location, installed app inventory — is particularly sensitive when it belongs to a child. The FTC’s COPPA enforcement framework covers apps that collect data on children under 13, but app store age gates are not reliably enforced. If a minor needs VPN access for legitimate reasons (accessing school resources while traveling, bypassing network restrictions), Proton VPN Free is the only category-appropriate choice.
User in a country with internet censorship or surveillance 🔴 Do not use an unknown free VPN for this purpose. This is the highest-stakes use case and the context where the jurisdiction, ownership opacity, and infrastructure integrity of a free VPN are most likely to matter in ways that carry real personal consequences. Use Proton VPN (paid or free tier) or an equivalent audited Swiss-jurisdiction provider. Do not use any app whose ownership or server infrastructure you cannot verify.
FAQs
Are free VPNs safe?
Most are not. A Top10VPN investigation of 100 free Android VPN apps found nearly 90% leaked user data in some form. Nearly 70% requested permissions with no VPN function. A small number of free tiers from audited, paid-primary providers (Proton VPN Free, Windscribe Free) do meet a credible safety standard. The category requires careful discrimination, not a blanket endorsement or blanket rejection.
What does CISA say about free VPNs?
CISA’s December 2024 mobile security guidance states: “Do not use a personal virtual private network (VPN). Personal VPNs simply shift residual risks from your ISP to the VPN provider, often increasing the attack surface. Many free and commercial VPN providers have questionable security and privacy policies.” The guidance was issued in the context of high-value targets (government officials, senior executives), but the underlying risk analysis applies broadly.
How do free VPNs make money if they charge nothing?
Documented monetization methods include: selling user browsing data to data brokers and advertisers, enrolling user devices in residential proxy networks and selling the bandwidth (Hola/Bright Data model), injecting advertisements into web traffic, and in the worst cases, using installed devices as nodes in criminal botnet infrastructure. The 911 S5 botnet used exactly this model before its May 2024 dismantlement.
What free VPNs are actually safe?
Proton VPN Free (unlimited data, SOC 2 Type II audited, Swiss jurisdiction, open-source), Windscribe Free (15 GB/month, audited, Canadian jurisdiction), and TunnelBear Free (500 MB/month, annually audited by Cure53). All three are limited tiers of providers with paid-tier products and third-party security audits. No other free VPN clears the bar we would recommend without reservation.
Is Hola VPN safe?
No. Hola’s free tier enrolls users in the Bright Data residential proxy network, selling their idle IP address and bandwidth to third-party commercial clients. This has been Hola’s confirmed business model since 2015 and has not changed. Hola’s Android app was removed from the Google Play Store over security concerns. Do not install Hola.
Can a free VPN see my passwords and bank details?
A free VPN in a man-in-the-middle position on your traffic has the technical capability to intercept unencrypted connections. In practice, HTTPS encrypts the content of most sensitive connections (banking, passwords) even without a VPN, which limits this specific attack surface. The more common risk is logging of connection metadata — which sites you visit, when, for how long — rather than content interception. Apps with weak or absent encryption create greater exposure to content interception on unsecured networks.
Why do security agencies warn against VPNs if they protect privacy?
CISA’s guidance addresses a specific concern: a VPN shifts trust from your ISP (whose behavior is regulated and known) to the VPN provider (whose behavior may be unknown, unaudited, or actively adversarial). For ordinary users connecting to public Wi-Fi, a reputable VPN reduces risk. For high-value targets, an unvetted VPN can introduce a surveillance surface that would not otherwise exist. The guidance is calibrated for high-risk individuals, but the underlying logic applies to anyone using an unaudited free app.
What should I check in a free VPN’s privacy policy?
Three things matter most: (1) whether the policy explicitly enumerates every category of data collected, without vague “anonymized” carve-outs; (2) whether the policy permits sharing data with third parties, and under what conditions; (3) whether the policy discloses bandwidth resale or peer-network enrollment. If any of these three questions produces a vague, qualified, or absent answer, the policy does not provide the protection you need.