Are free VPNs safe? Here's what the research says

BitLaunch -

According to recent research, nearly a third of US VPN users rely on free VPN services. It's not difficult to understand why. For infrequent users, it can be difficult to justify the subscription cost – especially when most providers make you commit to a year up for a decent price. Free VPNs, though, also have a lower barrier to entry. Many minors and people in developing countries lack access to credit cards, and entering payment information can be a hassle, even for adults.

Unfortunately, while free VPNs are convenient, there are growing concerns about their safety. Some paid VPN providers claim that you shouldn't use them at all — but how much can you trust their word? This guide will try to examine the safety of free VPNs from a more analytical perspective, covering:

  1. Why do companies offer VPNs for free?
  2. How safe is your data with a free VPN?
  3. Do free VPNs really have malware?
  4. Are there any good free VPNs?
  5. Are paid VPNs safer than free ones?

Why do companies offer VPNs for free?

As a virtual private server provider, we are acutely aware here at BitLaunch that operating a VPN network is not cheap. What is blatantly clear is that nobody is going to give you a free VPN without an ulterior motive.

As far as we see it, there are four reasons a company might offer you a VPN for free:

  • To collect and sell your data (or pass it on to partners)
  • To turn customers' PCs into a botnet or proxy via malicious code
  • To serve you ads from which they can then make ad revenue
  • To try to convert you into a paying customer

Some of these are clearly much worse than others. Many users would be fine with option four and perhaps even option three, provided the advertisements are not too invasive.

The problem, however, is that you don't know which monetization model you're getting when you install a free VPN. Many use multiple methods to generate revenue, while some hide behind one revenue model while operating a much shadier one in secret. So, let's take a look at how common these practices really are.

How safe is your data with a free VPN?

There are two significant concerns associated with free VPNs and your data.

  1. Are they selling it to data brokers or acting as a honeypot?
  2. If they're not, how much money and effort are they investing in keeping your data secure?

It's worth looking at each of these in a bit more detail.

How common is it for free VPNs to sell user data?

The sale of user data is the number one reason paid VPN providers give for not using a free VPN.  The problem is that this makes a lot of sense for them from a marketing perspective. Privacy-conscious users make up a significant portion of their target market — portraying free ones as data-selling monsters is good for their bottom line. This makes it difficult to trust their claims.

Fortunately, there is independent research on this topic. This study on free Android VPNs by researchers at CSIRO, ICSI, UC Berkeley, and UNSW is perhaps the most comprehensive. Here are some key statistics from the paper, which analyzed 283 Android VPN apps:

  • 67% the free VPN apps had one or more third-party tracking libraries in their source code.
  • 16% of the apps deployed non-transparent proxies, which were sometimes used to inject JavaScript into users' traffic for advertising and tracking purposes.
  • Four of the apps used TLS interception, a technique that may allow them to inspect users' encrypted browsing traffic.
  • 82% of the apps requested permissions to access sensitive Android device data, including user accounts, text messages, and system logs.

Unfortunately, it is extremely common for free VPN apps to track users and misuse their data. A cursory search reveals a dozen confirmed cases of free VPNs selling user data, along with numerous credible accusations. Selecting a free VPN at random is unlikely to yield a positive outcome.

Do free VPNs keep your data safe?

Many free VPN apps claim to improve security and provide anonymity by encrypting users' internet traffic. The study we quoted earlier found that 18% of app tested used unencrypted tunneling protocols. 84% did not tunnel IPv6 traffic at all due to a lack of support or misconfiguration. 66% did not tunnel DNS traffic through the interface. Such VPNs have little to no benefit in preventing surveillance and censorship of users' traffic on public/controlled WiFi networks or by government agencies.

A history of data breaches

These basic flaws raise questions about the level of effort free VPNs put into security in general. A notorious example of lax security is the 2020 data leak affecting seven Hong Kong-based free VPN providers: UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN.

Though outwardly distinct entities, it soon became clear that all of VPNs were operated by the same group. In short, 1.2 terabytes of user data was left unprotected and publicly available on a shared server. Despite being marketed as "no-log" VPNs, the compromised data was highly sensitive, including email addresses, plaintext passwords, home addresses, phone models, device IDs, and extensive internet activity logs.

While this is the most high-profile case of a free VPN data leak, it's far from the only:

  • In 2023, a SuperVPN breach leaked 360 million records, including email addresses, original IPs, geolocation, secret keys, and links to the websites users had visited.
  • In 2021, a network of VPNs, including SuperVPN, GeckoVPN, and ChatVPN, was found to have a publicly available database. Records of over 21 million users were stolen, including email addresses, payment information, device IDs and serial numbers, full names, and country names.

To be clear: paid VPNs are not immune to data breaches either. Many will have heard about the 2018 Nord VPN incident and the ExpressVPN RDP bug. The difference with these breaches is that they tended to be limited and localized and did not expose nearly as much sensitive data due to their no-log policies.

Do free VPNs really have malware?

Painting free VPNs as malware-infected always felt like a scare tactic to us. However, there is some research to suggest it's not completely groundless. The Ikram et al. study we keep referencing scanned hundreds of VPN apps with Virus Total. The researchers found that 38% of the apps had at least one malware detection. This doesn't mean much, since some of Virus Total's scanners throw up a lot of false detections.

More concerning is that 4% of the VPNs had detections from five or more scanners, with some having up to 24 detections. While this is a small percentage, several of the implicated apps were very popular, with one boasting 5 million installs. Out of these, most of the detections (43%) were for adware, but 29% exhibited a Trojan detection, 17% malvertising, 6% riskware, and 5% spyware.

However, it's worth noting that free apps were not the only ones with malware detections. Out of the ten apps with the most detections, there were four premium apps. Three had 5,000 or fewer installs, but one had been installed by more than 50,000 users.

Several other sources back up the claim that malware is a concern with free VPN apps. In 2024, the US Justice Department dismantled one of the biggest ever botnets. It was propagated in a large part by users whose devices had been unwittingly converted after installing free VPN apps.

So, malware does not appear to be exclusive to free VPNs, but it does appear to be more common and present in more popular apps. Any user looking to use a VPN should choose an established, trusted company or perform a scan themselves.

Are there any good free VPNs?

The free VPN landscape is clearly a minefield. Many free VPN apps aren't just dangerous; they barely function. They consistently have poor speeds, are blocked by websites, and don't improve privacy.

That said, we haven't yet talked about the final category of free VPN: freemium VPNs. There are a few legitimate, well-respected VPN providers that offer free versions of their apps to lure in prospective customers. We tested a few of these as part of our best VPNs for streaming article.

The best VPNs for streaming in 2025, tested
We tested six of the most commonly recommended VPNs for streaming to determine which one is the best for your needs.
BitLaunch News and GuidesBitLaunch

In our testing, two established, trusted VPNs with free apps stood out as having an acceptable (though limited) user experience:

  • Proton VPN: Proton has the best free offering overall. Its servers are fast enough, it does not have traffic limits, and it does not keep logs or serve ads. The primary limitation is the number of countries (6), and that your server is randomly selected.
  • Windscribe: Windscribe goes in a slightly different direction with its free offering. You get more servers than Proton, but limited bandwidth. The maximum per month is 10GB if you verify your email. There are no ads or trackers.

Both VPNs have published independent security and logging audits, as well as transparency reports surrounding the data they have provided to courts and law enforcement. At the time of writing, neither company was able to provide the courts with relevant data.

Are paid VPNs safer than free ones?

There are some bad paid VPNs, but as a general rule, they're more likely to be safe. The research available shows that paid VPNs are more likely to use modern protocols, conduct regular security audits, and take customers' privacy seriously. It's rare but not unheard of for paid VPNs to sell user data; they already have a strong revenue stream that they don't want to disrupt.

While paid VPNs are not immune to leaks and breaches, evidence so far suggests that they tend to be less harmful when they do happen. This is partly due to the lack of logging, and partly down to stronger security practices that better segment data.

Should you trust your VPN provider?

Using a VPN from a mainstream provider always requires a degree of trust. You must trust that they are doing everything they say they are and publishing audits even when they make them look bad.  You also need to trust that they do not have any secret backdoors or data-sharing agreements, that they store your credit card data securely, etc.

For these reasons, there is an increasing trend of users hosting their own VPNs. They rent infrastructure from a cloud or VPS provider and set up a VPN there. This allows the customer to have full visibility and control over the infrastructure, including whether logs are kept, server security, and which VPN protocols/features are in use. This is more effort, but nowadays, one-click apps from VPS providers let users set up their own VPN in seconds.

Introducing BitLaunch VPN Beta
We’re excited to announce BitLaunch VPN, a new service that brings fast, multi-region WireGuard VPN functionality to the BitLaunch platform. BitLaunch VPN allows you to deploy your own private VPN server across multiple regions in seconds, with no complex setup or command-line required. As with our…
BitLaunch News and GuidesBitLaunch

At BitLaunch, we understand the importance of user choice. We offer both options — the ability to launch your own VPN server, or to have us launch one for you. Regardless of your decision, your VPN is hosted on our privacy-first infrastructure and funded via our private payment system. We don't ask for your name, credit card information, or other identifiable information. We don't log, we don't run trackers, and we let you destroy your data at will.

Don't want to commit upfront? Sign up for an account and talk to our support team for some free credit.

Try our VPNs