Botnets and backdoors: The free VPN trojan horse

Imagine being accused of a cybercrime. You don’t know much about the internet, and even less about crime. And then suddenly, a mountain of digital forensics and cybersecurity comes crashing down on you. The police confiscate your devices and scour through every inch of your digital life. Your computer and its unique IP address, the authorities finally tell you, are responsible for fraud in the five-digit range. Or maybe they say you’ve done something even more incomprehensible. Either way, you’re left to navigate a legal hell to try to clear your name of a crime you don’t even understand. This nightmare can be all too real for many internet users.

Just weeks ago, an international operation led by the U.S. Justice Department (DoJ) took down an extensive global botnet called 911 S5. Over the course of a decade, what the DoJ calls “likely the world’s largest botnet ever” had infiltrated 19m unique IP addresses in almost 200 countries. Access to compromised devices was then sold to criminals to commit cyberattacks, theft, fraud, and to cloak illicit activities behind the IPs of unsuspecting users.

A key point in this story is that the botnet used backdoors designed into six free Virtual Private Network (VPN) softwares which, in addition to being functioning VPNs, were also malware. Following the arrest of the alleged botmaster, the Federal Bureau of Investigations (FBI) released a public service announcement (PSA) warning users to uninstall the VPNs and to scan their systems for the malware files that opened the gates of their systems to criminal exploitation.

This is the first installments of the Nym's series in which we deepdive into the risks in using “free” VPN services. As we will investigate throughout the series, many free VPNs can pose real threats to user privacy and security, and they almost always contain invasive practices like targeted advertising. This is the complete opposite of the main reason users turn to a VPN: genuine privacy, security, and anonymity online. The 911 S5 botnet should be a wakeup call, but the problem goes much deeper.

ProxyGate 2024: A multi-billion dollar trojan horse

A botnet is a network of compromised devices which can be remotely controlled by a central entity. Once infiltrated, the devices can then be used to perform malicious activities behind the backs of their operators, such DDoS attacks, spam distribution, fraud, or disseminating exploitative material like child pornography.

With the 911 S5 residential proxy network in place and powered by 150-servers worldwide, the botmaster sold access to tens of millions of IP addresses through a virtual marketplace. Purchasers then used these IPs to perform a wide range of illicit activities, most notably defrauding the U.S. government’s pandemic aid program of billions of dollars through fake applicant claims.

How was an operation of this scale possible in the first place? According to the DoJ’s court order of 10 May 2024, the suspect installed backdoor access to users’ devices principally by offering their own “VPN software for free online” and hiding “the malicious properties from those users that intentionally downloaded what they believed to be a legitimate VPN program.” The malware was also spread through torrenting software and “pay-per-install services” in which digital distributors are paid every time a malware-bundled program is successfully installed on a user device.

The 911 S5 marketplace was allegedly taken down by investigators in 2022 before reemerging as “Cloudrouter” in 2023. However, the malware continued to operate on users’ systems without any further intervention until the FBI’s aptly-titled “Operation Tunnel Rat” finally took down the VPN domains and outed the names of the VPN programs publicly.

At the time of his arrest on 24 May 2024, the alleged botmaster, according to government estimates, had alone amassed $99M in profits from selling IP access. An astonishing $5.9B was defrauded from the U.S. government’s pandemic and unemployment aid programs. The losses, pain, and confusion suffered by millions of unwitting individuals worldwide has yet to be heard.

The free VPN backdoor

Six VPN and proxy services are claimed to be responsible for providing backdoors for malware infections in the 911 S5 botnet:

• MaskVPN
• DewVPN
• PaladinVPN
• ProxyGate
• ShieldVPN
• ShineVPN

What exactly do we know about them? As expected, surprisingly little. The indictment does make clear that these VPN services were designed specifically for the purposes of constructing the botnet. The malware remained active in the background of users’ systems as innocuous seeming .exe operation files, such as “MaskVPN.exe,” which users likely assumed were protecting them. If anything, the lack of information to be found on these VPNs downloaded by millions of users is a telltale sign of how unregulated and unscrutinized the free VPN industry is.

The above VPN services that maintained actual domains have been seized by the FBI, including PaladinVPN.com, DewVPN.com, and ShineVPN.com. The dummy domain for MaskVPN remains active as maskvpns.com, promising that you, the lucky users, can “can secure and leak proof [sic] to protect your privacy.”

As of publication, many apps bearing the names of the above services are still available to download from Google Play, Apple, and other app stores, such as ShieldVPN, ShineVPN, and MaskVPN, with some like Shine VPN listing as many 500k+ downloads on Google Play. However, Nym has not confirmed whether these apps in fact correspond with those listed in the court order or rather to other homonymous providers. The ProxyGate proxy server, which has been long flagged for malicious activity by security reporting firms and forums, also appears to still be downloadable as ProxyGate VPN, though it is unclear whether this app corresponds with the 911 S5 botnet.

We will have to wait for more details on the operations of these specific VPN services, which platforms distributed them, and exactly how many users downloaded them over the years. But there are crucial questions we should be asking in the meantime:

• How did the malware functions of these VPNs go undetected for so many years?
• What other clandestine functions are other VPN freewares on the market currently engaged in?
• How many privacy violations and security risks are we willing to accept to save a few dollars every month when we could be investing in a genuine privacy tool?

Free VPNs risks

It is estimated that more than one-fifth of people globally are using VPNs, and that half are using a free version rather than a paid one. What does this mean for the privacy of 600 million VPN users worldwide?

In principle, there is nothing wrong with a “free” service. And there are in fact reliable VPN service providers that offer privacy-preserving VPNs at no cost and as a public good. But the predominant business models for the hundreds of free VPNs available for download are anything but altruistic: if there is no revenue from user subscriptions, then they surely make their money in other ways.

As we will see in Nym’s ongoing series, this hidden revenue comes from a number of tactics: targeted and inserted advertising, selling user data to brokers, and even permitting third parties to install cookies on user browsers to track their activities. In short, free VPNs market privacy, but they profit from surveillance. And the target of this surveillance is not wrong-doing, but the micro-details of our personal lives.

The free VPNs behind the 911 S3 botnet, however, show a much more extreme security risk: the hijacking of our devices and identities by a criminal underworld. Of course, these malicious VPN services were only a few of the hundreds of “free” VPNs available for users to download, and they are likely some of the worst actors on the market. But the risk potential made clear in this case, with financial losses in the billions of dollars for users and institutions, needs to be taken seriously.

Nothing comes for free

Pretty much every VPN markets itself as a tool to protect user privacy by virtue of the fact that it masks our true IP addresses. Many users might think this is sufficient for their needs. But they also may not be aware of the extent to which the metadata of their personal activities online are being harvested and bought and sold en masse. What’s the use of IP address cover when our whole browsing histories can be reconstructed by AI-powered algorithms?

Combatting these data collection and exploitation practices is not simple, and it is reasonable that advanced VPN technology designed specifically to protect your privacy would require some degree of user investment. Afterall, if someone offered to install a free camera-security system in your home, would you welcome the technicians in without second thought?

When any software is offered for free, there are likely hidden costs. These costs could be as simple as a slower or more limited VPN service. But usually the costs aren’t as palatable, such as advertising injected into your browsing experience which is customized through an algorithmic analysis of all your online habits. Worse is the fact that these very same metadata records are regularly being sold to a vast underground market hungry for IP and email addresses, traffic logs, and individual behavior patterns. And now, there’s the real possibility that a free VPN has long-turned your computer into a zombie proxy for child pornographers or fraudsters.

Genuine online privacy should be a fundamental right, but the reality is it’s an ongoing battle. Winning it for everyone globally means first being vigilant against real threats like 911 S5, and also choosing the proper tools to defend ourselves. Free VPNs are not these tools.

---

Nym Takes on Free VPNS

This is the first article in the Nym series which deep-dives into the free VPN market. The series will cover the logging practices of free VPNs; their deliberately vague consent contracts; how, why, and to whom they sell our data; and their invasive advertising practices.