Hola VPN is a shady VPN – we’ve mentioned it before, since the very idea it’s based on is nice in theory but pretty much dangerous in practice.
Your computer acts as an exit node for others, meaning anyone on the Hola VPN network can use your IP address for whatever they’re doing. Sounds like a great way for criminals to use your computer to carry out their business.
Now, with a new report by Trend Micro [pdf], we can see that’s exactly what’s going on. In their groundbreaking and damaging research, Trend Micro analyzed 100 million URLS based on data from 7,000 computers that had Trend Micro software installed on them. What they found was eye-opening to say the least, and it led their anti-virus software to detect Hola VPN as “unwanted software.”
We pored through their 32-page report to see what the biggest takeaways are from this sobering report on one of the world’s biggest free VPNs.
But before we get into that, let’s look at the connection between Hola VPN and Luminati, which features heavily in the report.
The connection between Hola VPN and Luminati
Hola VPN is Luminati. That’s the connection. There, that was easy.
But, if you wanted to get more detailed with it, Hola VPN is free, and Luminati is paid. Hola VPN has millions of users, all using their free VPN service and giving up their IP addresses and idle computer resources in order to use that service.
And Luminati takes all those IP addresses and idle computer resources and sells them to companies (legitimate and scammers alike) for anywhere between $500/month to $100,000/month.
What those Luminati customers are doing with all those IP addresses and idle resources is where the fun begins, and we’ll look at that in detail below.
So let’s see what the biggest takeaways are and how you can protect yourself from all this madness.
#1 Hola VPN is not actually a VPN
Probably the first and biggest revelation from Trend Micro’s report is that Hola VPN is a VPN in name only, like the “Dr.” in Dr. Dre.
In actually, it is more like a web proxy. Even worse, it’s an unencrypted web proxy, meaning all your traffic that goes through the free VPN is open for any eyes to see.
This is because Hola VPN seems to be lying to its users. Its marketing message says:
Connect to other free VPN users like yourself, and use their networks as exit nodes, while they’ll use yours.
It’s sort of a kumbuya idea, a P2P or crowdsourced VPN. But the reality is more like this:
Connect to our free VPN. You will probably be using one of our 1,000 cheap proxy servers. Our Luminati customers will use your network as exit nodes.
According to the report:
“…we found that traffic is mostly routed through roughly 1,000 super nodes in data centers…We did not observe any real P2P traffic and it doesn’t seem to be possible at all to use other users’ computers as exit nodes.”
#2 Hola VPN doesn’t encrypt your traffic
From the screenshot above, you probably noticed that magic word: unencrypted. After all, we put a big red box around it so you could notice it.
To further emphasize the fact that Hola VPN isn’t a VPN at all – it doesn’t even have the basic function of a VPN. VPNs, as you remember, route your traffic through a server in a location of your choice, but they encrypt that traffic first.
That way, your communications are unreadable: your messages, videos, files, audio, etc. Different VPNs have different encryptions, but most of them use military-grade encryption that’s virtually impossible to crack.
Hola VPN decided not to go that route. The Trend Micro report goes through the steps for how users connect to Hola VPN to show how their traffic is unencrypted:
But we’ll highlight the golden point:
Hola VPN sends an HTTP request to the website the user is trying to access directly, leaking that user’s IP address, and also letting the website know the user is a Hola VPN user – since the request contains info about Hola VPN. After that, the Hola VPN client connects to one of its 1,000 super nodes (again, not million of users’ computers) and all traffic is proxied through the super node, without encryption.
The report goes on to state:
“The absence of encryption between client and super nodes means that somebody who is able to intercept traffic can see the websites a Hola user is visiting and can read data he is uploading or downloading on the internet.”
#3 Hola VPN blacklists a lot of sites, unlike any real VPN
VPNs are supposed to give you access to blocked sites, not block those sites by themselves. But, again, Hola VPN isn’t a real VPN.
It’s pretty much the opposite of a VPN, since it:
- doesn’t encrypt your traffic (unlike all VPNs)
- doesn’t offer unlimited internet (unlike all VPNs)
- isn’t a VPN, in any way, shape or form
The report states that Hola VPN blocks access to several websites, including:
Why would you ever want to visit those sites, anyways? Here’s a fun screenshot of the blacklisted websites:
Again, we want to emphasize how bizarre this is. VPNs help free the internet. They don’t restrict it.
If you want to have unlimited access to the internet with no blacklisted domains, you can subscribe to their paid premium version.
#4 Luminati is pretty much just click fraud
The report states the following about Luminati:
“Hola Networks Ltd. sells the bandwidth of millions of Hola VPN users via their Luminati website. Prices are steep and start from US$500 up to US$100,000 per month. The average user of Hola VPN will have no idea what kind of traffic Luminati is pumping through the user’s internet connection.”
With a name like Luminati (hint-hint, Illuminati) who could’ve guessed it might be used for shady purposes.
Anyways, the Luminati paid service allows its customers to use Hola VPN customers’ bandwidth and IP addresses to scrape data from websites or, as the report implies, commit click fraud.
Yes, click fraud – where online ads are clicked on by fake users so that the website or mobile app gets all the ad revenue. Sometimes click fraud is done manually – imagine a warehouse with tens of thousands of mobile phones and computers, and people switching IP addresses and clicking on the ads around the clock.
But, of course, it’s more profitable and scalable for that to be done automatically. With a good-enough script and lots of various IP address – thanks to Hola VPN’s free users – it would be impossible for any website or company to spot fake traffic from real traffic, and fake clicks from real clicks.
Seeing as the mobile ads market is estimated at $143 billion in 2017, that leads to lots of real money for the scammers.
According to the report, up to 86% of all Luminati traffic goes to websites “developing mobile apps, are in the mobile advertisement business, or in the business of affiliate tracking.”
#5 Hola VPN is like malware for corporations – and it’s difficult to uninstall
According to the report, you should never use Hola VPN at work, seeing as any devices that have the free VPN installed can have their corporate firewall circumvented. That way, hackers can easily gain access to the corporation’s internal network.
Even worse, it’s very difficult to uninstall. That’s because, even after you uninstall Hola from your computer, the binaries are not deleted.
According to the report:
“ Though we found that both the service and auto-start registries have been deleted, we saw that Hola was running during the uninstallation process itself – meaning the registries will be added right back after the uninstallation process.”
How to protect yourself from VPN scams
We’ve mentioned it before: you should probably not use free VPNs. As the old saying goes:
“If you’re not paying for it, you’re the product.”
That could be as simple and innocuous as annoying ads in the app, or it could be as dangerous as what Hola VPN is doing here.
We can even further emphasize this point by letting you know that paid VPNs can cost as little as $2/month, so if you really need a strong, military-grade, privacy-focused VPN that’s actually a VPN, we’ve already listed the best of the best VPNs here.
There’s no reason anyone should ever use Hola VPN. The best way to protect yourself is to delete it immediately and get yourself a real VPN that won’t betray your trust, steal your bandwidth, possibly infect your computer with malware, or commit click fraud with your resources.