New York, September 18, 2025 – Cybersecurity experts NymVPN are warning US consumers to be cautious of many popular virtual private network (VPN) apps, after a new report[1] by academics at Arizona State University, Citizen Lab (University of Toronto), and Bowdoin College revealed that many of the world’s most downloaded VPN apps are secretly controlled by just a handful of companies, many with direct links to China.
The US is one of the world’s most active VPN markets, with tens of millions relying on apps to protect privacy, secure online banking, and access streaming services. Demand has surged even further in recent years, following the introduction of mandatory age verification rules for adult content in many states, which drove a sharp spike in downloads as users sought to bypass intrusive checks.
Linked Family (in Report) / Owner
Tom Garcia-Bridgeman | [email protected]
Researchers found that these providers often shared the same code, servers, and even hard-coded encryption keys – making it clear that the “choice” of VPNs is far narrower, and far less transparent, than consumers are led to believe.
“We designed NymVPN, the world’s most private VPN, to work differently from traditional VPNs. Instead of sending your internet traffic through one company’s servers, our system scatters it across several routes, so no single place – not even us – can see both who you are and what you’re doing online. It means your privacy isn’t based on trust, it’s built into the technology itself. That’s the level of protection everyone should expect in 2025.”
1. Check who owns it – A safe VPN should be clear about who runs it. If the company hides behind shell businesses or vague addresses, that’s a red flag.
2. Look for independent audits – Trustworthy providers let outside security experts test their systems and publish the results. It’s proof they have nothing to hide.
3. Be cautious of “free” VPNs – Running a VPN costs money. If you’re not paying for it, there’s a good chance the service is making money by selling your data.
4. Choose the right jurisdiction – Pick VPNs based in countries with strong privacy protections. Avoid those linked to regions known for surveillance or censorship.
5. Choose decentralized tech over centralised infrastructures – The safest VPNs use modern privacy tools (like decentralized networks or mixnets) that make it impossible for anyone to see what you do online.
“There are two problems,” Harry Halpin, CEO of Nym commented. “The first is centralization. Most VPNs on the market route your traffic through a single server. This means that the VPN company can potentially see and keep records of all your online activity. This is blind trust, not privacy. The second issue is that the many “free” VPNs being used by people are in fact software designed to surveil and collect your data so that it can be sold, or worse, handed over to governments.”
Global Installs (Google Play)
The popularity of these services is significant because all three belong to the hidden “families” identified in the research, sharing ownership ties, infrastructure, and even encryption credentials. For US consumers, the warning is clear: downloading a free or unverified VPN could mean handing your private data to companies with undisclosed links to foreign governments or shadowy investors – the very opposite of the protection people expect when they turn to a VPN.
VPN App (US Google Play Popularity)
In numerous cases, apps were traced back to Qihoo 360, a Chinese cybersecurity firm sanctioned by the U.S. government for its ties to the People’s Liberation Army (PLA). Others presented themselves as being based in Singapore or Hong Kong, but in reality, these were front companies or smokescreens for Chinese ownership and control.
-ENDS-
| Claimed Publisher | But this new research shows that many of the “top-ranked” VPNs on Google Play are neither independent nor transparent. In fact, like many centralized and free VPNs, they are likely actively undermining people’s privacy. | Notes | 1. The report, Hidden Links: Analyzing Secret Families of VPN Apps, was produced by Benjamin Mixon-Baca (Arizona State University / Breakpointing Bad), Jeffrey Knockel (Citizen Lab / Bowdoin College), and Jedidiah R. Crandall (Arizona State University). Using forensic analysis of app code, corporate filings, and control infrastructure, they mapped hidden ownership and exposure across dozens of VPN brands | Nym is a leader in decentralized technology that advances privacy by design. NymVPN is the first commercial app to run on Nym’s Noise Generating Mixnet. The company was founded in Switzerland by some of Europe’s leading privacy researchers, engineers, and activists, including Harry Halpin (MIT), Ania Piotrowska (University College London), Claudia Diaz (KU Leuven), and Alexis Roussel. Nym works with top cybersecurity experts like Chelsea Manning. With NymVPN, Nym is leading the charge in making the internet private by default for everyone. | Several of the VPN apps exposed in the Hidden Links report are not only linked to hidden ownership structures but are also among the most widely used in the US. Turbo VPN, with more than 100 million global downloads, remains one of the most popular choices across US app stores. Snap VPN, with over 50 million installs on Google Play, is also heavily used by consumers, while VPN Proxy Master regularly appears among the top free VPN apps in the US. |
| Turbo VPN | Innovative Connecting (Singapore) | Family A – Qihoo 360 (China) | 100M+ | free tier with optional paid upgrade | Linked to PLA sanctioned firm |
| VPN Proxy Master | Lemon Clove / Autumn Breeze | Family A – Qihoo 360 | 100M+ | free tier with optional paid upgrade | Shared code & infrastructure |
| Snap VPN | Autumn Breeze | Family A – Qihoo 360 | 10M+ | free tier with optional paid upgrade | Uses hard-coded keys |
| XY VPN | Matrix Mobile PTE Ltd (Singapore) | Family B – Singapore -linked | 10M+ | free tier with optional paid upgrade | Policy overlaps with Family A |
| Super Z VPN | ForeRaya Technology Ltd | Family B | 5M+ | free tier with optional paid upgrade | Shared infrastructure with XY |
| Melon VPN | Wildlook Tech PTE Ltd | Family B | 10M+ | free tier with optional paid upgrade | Popular free option in US |
| X-VPN | Free Connected Ltd (Hong Kong) | Family C – Hong Kong-based | 50M+ | free tier with optional paid upgrade | Obscured ownership, custom protocol |
| Fast Potato VPN | Fast Potato PTE Ltd | Family C | 1M+ | Uses same server infrastructure |
Free or paid VPN App
Despite being marketed as independent, the report revealed that many popular VPNs belong to just three hidden “families” with shared ownership, servers, and even encryption keys:
NymVPN’s top tips for choosing a safe and trustworthy VPN
New research reveals that many of the most downloaded VPNs since the introduction of state age verification laws are linked to foreign intelligence.
At least one family of apps routed all users through servers secured with a single password, making it trivially easy for attackers to decrypt every user’s traffic.
About Nym
Editor’s notes
2. Hidden Families of VPN Apps
The following table shows some of the top VPN Apps in the US Google Play Store that featured in the report, and their true owners.
| Family | Popular Apps | Who’s Really Behind Them | Key Risks |
| Family A | Turbo VPN, VPN Proxy Master, Snap VPN, VPN Monster | Linked to Qihoo 360 (China), a firm sanctioned in the US for ties to the PLA | Shared passwords and servers mean traffic could be decrypted; strong links to surveillance risks |
| Family B | XY VPN, Super Z VPN, Melon VPN, Global VPN | Singapore-registered fronts but overlapping with Family A | Apps share infrastructure and even privacy policies; users misled into thinking they’re separate services |
| Family C | X-VPN, Fast Potato VPN | Based in Hong Kong | Custom protocol with the same pre-shared keys across apps; obscured ownership, insecure encryption |
Rob Jardin | [email protected]
According to NymVPN, the findings illustrate a critical failure of the traditional VPN model – one that asks users to place blind trust in services whose corporate backers and infrastructure remain hidden.
Harry Halpin comments: “Consumers assume that all VPNs are created equal, but in reality many are owned and operated by the same opaque entities – some with links to regimes known for surveillance. That’s not privacy. It’s a mirror-image of the problem people buy VPNs to solve.
The report – “Hidden Links: Analyzing Secret Families of VPN Apps” – found that what looks like a crowded marketplace of independent VPN providers is actually dominated by just a few opaque “families” of operators[2]. Together, these hidden owners account for over 700 million downloads on Google Play, channeling huge volumes of private internet traffic through companies with unclear origins and potentially risky associations.
For more information and media enquiries:
