Chinese-Owned VPNs

One one my biggest worries about VPNs is the amount of trust users need to place in them, and how opaque most of them are about who owns them and what sorts of data they retain.

A new study found that many commercials VPNS are (often surreptitiously) owned by Chinese companies.

It would be hard for U.S. users to avoid the Chinese VPNs. The ownership of many appeared deliberately opaque, with several concealing their structure behind layers of offshore shell companies. TTP was able to determine the Chinese ownership of the 20 VPN apps being offered to Apple’s U.S. users by piecing together corporate documents from around the world. None of those apps clearly disclosed their Chinese ownership.

Tags: , ,

Posted on May 27, 2025 at 7:07 AM23 Comments

Comments

Doug May 27, 2025 8:06 AM

Would it kill the authors to put everything in a list? You know, a numbered list with no extra text?

Clive Robinson May 27, 2025 10:34 AM

@ Bruce, ALL,

“One one my biggest worries about VPNs is the amount of trust users need to place in them, and how opaque most of them are about who owns them and what sorts of data they retain.”

The simple answer to that is,

“If you don’t own it from end to end then don’t trust it, mitigate it.”

Which I admit can be more difficult than it sounds… Because many VPNs see you not as “customers but product” to be packaged up an sold on. Worse now is that legislation / regulation makes record keeping as “Third Party Business Records” for amongst other reasons “to protect the children” or more importantly to enforce entertainment industry and similar rent seeking extortion via IP rights extorted from content creators.

But that is from my perspective the tip of the iceberg.

Consider the first router upstream from either end of the VPN two things are known,

1, Where your packets are comming from.
2, You have something to hide.

This automatically makes you “A person of increased interest”.

Further is “traffic analysis” it can be done by simple correlation in time or the VPN operator could “tag your packets” in various ways.

The thing about “traffic analysis” is it may not be allowed to be entered into court, but there is this little thing called “parallel construction” which is an “after the fact” way of concealing “methods and sources” and getting things into court through what is a back door that nobody in officialdom will do anything but look the other way.

As has been seen before with operation Ore[1] you don’t need to be guilty just appear to be guilty in an observers eyes thus a prime candidate for a stitch-up show trial or bonus / promotion for the investigator or even a Medal (see UK and EncroChat phones). Nothing makes for success like corrupt officialdom.

Thus even using a commercial VPN for entirely innocent reasons is raising you up that list of people who are “singled out for closer inspection” as potential candidates for persecution and prosecution.

[1] Many of the accused under Operation Ore had not even been involved. What happened was a Chinese crime organisation had gained access to a UK supermarkets sales system and stolen their credit card and other information. This they then used to rack up fake charges on a non porn hosting site that acted as a gateway to porn sites. The thing is the Chinese just billed the host to get payment and the host operator build the users credit card and took it’s “finders fee”. It was this list of credit card accounts and an FBI forged web page that was used to claim everyone was downloading kiddy-prn when in fact few ever did (though a few that actually were, like the boyfriend of a prominent male UK politician got no action taken against them). A friend however went through hell and it destroyed his life, even though he could prove he was innocent… And people wonder why I don’t do online transactions and only pay cash.

Clive Robinson May 27, 2025 10:58 AM

@ Bruce,

As a side note did you notice the date of the article?

The browser I use shows it as,

“April 1, 2025”

Carl Breen May 27, 2025 1:53 PM

The good ole’ commie scare will never get boring! I mostly use VPNs to bypass geo-blocked free legal TV. Yes TV stations run by the state itself which are not accessible outside the same state running it.

My DNS queries and the TLS packets, the spies can have. I’m boring and harmless.

Peter A. May 27, 2025 2:36 PM

I sometimes use tunneling through a strategically placed rented VPS to access geo-blocked sites of public institutions or media in a foreign country, for my own research/information. I guess I am a terrorist.

Winter May 27, 2025 5:18 PM

Moral of the story:

Know whom you are doing business with. Most certainly when it involves your security or safety.

Now the $64k question:
Which VPNs are not owned by evil or untrustworthy entities?

ProtonVPN (Switzerland)?
NordVPN (Panama)?
…?

But more importantly, how can we make users actually care about security?

Dave May 27, 2025 9:11 PM

When Chinese companies started buying out all the VPNs around 10 yrs ago, I stopped paying annual subscriptions, since there are only about 5 that can be trusted and those usually cost 2-4x more than the other options.

When I need a VPN, like I did last weekend, spinning up a VPS, loading wireguard and connecting my clients to that $5/month VPS is quick enough and probably private enough. I haven’t tried using a smaller, cheaper, VPS – they do offer $2.50/month options which would probably work fine for my minimal needs, but in my use all weekend, I think the total price charged was under $0.10, so I don’t see the reason to bother going cheaper.

The setup is scripted to the point that I only need to manually enter the new public IP of the new VPS into my client wg-confg file. Less than 5 minutes from “deploy” to sending all traffic though the VPN. Sometimes it is less than 3 minutes.

Of course, this isn’t exactly useful for normal people.

I’ve been running a VPN server at home for connections back into our home networks for about 2 decades. WG really makes that much easier and faster than openvpn. There are lots of 1-click VPN server deployment scripts for slightly technical people to deploy on their home networks. Gitlab and guthib have hundreds of examples.

Dave May 27, 2025 9:12 PM

The problem with Chinese-owned VPNs concealing their ownership is a catch-22, due to the rampant paranoia about anything Chinese in the US they pretty much have to conceal their ownership if they want to do business. So this isn’t necessarily a yellow-peril-bogeyman thing but just a requirement to be able to do business.

Given that most people would be using VPNs to avoid geoblocking, it doesn’t matter if your VPN provider is Chinese, Israeli, or the Illuminati. And if you’re really worried, run WireGuard on your home router.

Dave (9:11pm) May 27, 2025 9:59 PM

Dave (9:12pm),

Chinese companies need to be treated with suspicion because of the behavior of their govt. Give the CCP-Chinese Constitution a read. They have an English version online. In the beginning sections, it says all the “right things” about being far and how the govt is there to ensure rights are provided to everyone, but as you get farther into the document, you’ll clearly find the articles where the Party can overrule any rights without due process and that includes making statements that embarrass the party or party officials. Think about that.

Also, there are articles which clearly say that every Chinese citizen and company must defend the Party and the Govt. There’s no refusal to do what the Govt says, so effectively, every Chinese citizen and every Chinese company is an extension of the CCP even if they wouldn’t choose it.

Have you been to China? I have. It used to be that non-Chinese were treated fairly, but something has changed in the last 15 yrs under Xi. Chinese Children are being trained to hate America and there are videos showing kids as young as 5 using bayonets to stab at dummies with US flags on their shoulders. Saw a video just last week where 7 year old children were asked who’s China’s “enemy” … and they used the Chinese word for “war enemy”, not the other words for “competition” or similar. Their response was America from almost all of the kids, which 1 child saying “Japan” – guess he’s a little slow. Chinese in China have always hated Japanese for good historical reasons, though no real reason has been provided the last 50 yrs.

Imagine if a US teacher asked a classroom of 7 yr old children who is their enemy in the world? I just can’t imaging teaching our children such level of hatred at that age.

Do just a little research and you can find these videos too, along with 1,000,000+ Pro-China videos put out as part of the Chinese propaganda engine to Western social media. Don’t forget that in China, using a VPN to bypass their “Great Wall” is illegal, so all those posts are not just allowed, but supported by the CCP. Anything the CCP doesn’t want on their internet is removed in minutes and widely suppressed, so anything that remains is “approved”.

We may not consider China our enemy, but they definitely consider the US theirs and constantly tell Chinese in China that the US is their enemy, regardless of age. Don’t be foolish. When someone trains their children to kill people like you and me, pay attention.

Don’t trust Chinese companies, since the CCP can mandate they do anything at any time and there is no appeal possible.

ResearcherZero May 28, 2025 2:20 AM

China is placing its entire economic system behind the improvement of innovation.

In the U.S., decades of academic advancement that powered the economy is at risk.

‘https://www.theatlantic.com/ideas/archive/2025/05/trump-defund-schools-research-republicans/682742/

The transition from industrial might to cognitive power.

Until recent decades, economic gain by one group was only possible at a loss to another. Brain power allowed per capita income to increase faster than population growth, lifting the income of entire populations, without inflicting significant harm to portions of society who had typically suffered due to modernization, automation and economic policy.
https://link.springer.com/article/10.1007/s11186-024-09589-w

Well funded and widely available public education allowed this transformation.
https://academic.oup.com/braincomms/article/6/6/fcae360/7852944

Human capital is nearly 2.5 times more valuable to the economy than physical assets.
https://mlari.ciam.edu/economic-growth-and-the-role-of-human-capital

ResearcherZero May 28, 2025 3:11 AM

@Carl Breen, ALL

Being boring and harmless is awfully bad for you. Data brokers do not care if you are boring and harmless, nor do 500 lb bombs, lead bullets, disease or any other malady.

Boring-related heart disease and apathetic health choices.

‘https://academic.oup.com/ije/article-abstract/39/2/370/684049?redirectedFrom=fulltext

“Safe distances for unprotected troops are approximately 1,000 meters for 2000-lb bombs and 500 meters for 500-lb ones. Even protected troops are not entirely safe within 240 meters of a 2,000-lb bomb or 220 meters of a 500-lb bomb.”

Shrapnel poses a significant threat to civilian populations in conflict areas, often causing additional civilian casualties. In some cases, shrapnel can reach distances of several hundred meters.

https://comw.org/pda/precision-warfare-a-2000-lb-scalpel/

1 pound is equal to 0.4535924 kilograms, or 2.2046 pounds to the kilogram.
https://unsaferguard.org/un-saferguard/blast-damage-estimation

Clive Robinson May 28, 2025 9:12 AM

@ Dave, ALL,

With regards,

“When Chinese companies started buying out all the VPNs around 10 yrs ago”

Did you ever stop and ponder,

“Why are they doing this?”

It has several interesting answers.

The first is the plain and simple “it’s a business that makes money that is growing”.

Also because of the Great Firewall of China, VPN’s through it saw rapid growth.

It was an issue that cut both ways. China like any Cyber-entity wanted “a perimeter” they controlled. In part to keep Western Government entities out. But they also wanted to attract Western Businesses in.

A firewall that does not allow VPN’s is going to “constrain business” which is “undesirable” in any economy from Nation State down to your family home.

But China like all Nation States including the UK and US want to keep an eye on it’s alleged “citizens” and other “visitors”. Likewise so do all companies on those inside their perimeter, likewise many parents on their children.

There are two basic things of interest,

1, The information in transit
2, Where the traffic travels

If you own the VPN you know the second, and from that you can infer the first in many ways. It’s part of “Traffic Analysis” and in most ways it’s a lot lot less resource intensive than “breaking encryption” that is used to keep the actual information confidential.

Traffic Analysis is something every Nation State capable of it does, especially the UK and US as well as quite a few European States.

Yes it’s very intrusive on “Personal Privacy” thus “Personal Freedom” but then “know it all” is what is behind “collect it all”. And it’s very much the province of paranoid, authoritarians who inhabit the tops of hierarchies and their authoritarian following “guard labour” that fill the lower layers.

Because as the old saw has it,

“Knowledge is power”

And for those that don’t know, information and knowledge are not the same thing…

Clive Robinson May 28, 2025 10:00 AM

@ Swede, ALL

With regards “mullvad.net”…

By my reasoning they are like most VPN’s and Tor and mix-nets they are insufficiently secure to be even close to being safe.

The reason is,

“They are but one link in the chain.”

And most often the failing of all such “overlaid networks” is firstly entry and exit points that can be monitored from the underlying network.

Then the issue of “latency” that is kept low for “usability” thus enables correlation between entry into the network and exit from it.

Also is the issues of “Packet Switching” not “Circuit Switching”

Sending individual packets causes them to display timing characteristics and the quantity of information.

Such an overlay network having client applications might fix some of the issues, but there is the problem of meta-data for a number of infrastructure activities like DNS, checking CA Certs and more. Unless these are correctly moved into the overlay network which mostly they are not, then meta-data on both “traffic” and “information” can be found.

For viewing various forms of entertainment then most VPN’s will give you defence against those outside the overlay network. But they make you vulnerable to those inside the overlay network, who control it, and those with access to information gained by that control.

This is because the VPN is a “choke point” which has the “House of ill repute portal problem” of “all who enter are upto no good by definition” of “an observer” who as I’ve indicated in the past decides “what is good or bad” behaviour. And you get the “Santa’s list” issue, of you don’t know you are on the “naughty list” untill Xmas Day in the future.

For many reasons people think the use of “Public VPNs” makes them safer, the reality is as far as “public access” owned by a “third party” they actually make you less secure. The use of “Private VPNs” used by individuals to connect to corporate entities do make things safer in a lot of respects for the corporate entities and by extension those who connect to them. But that is an entirely different set of “safety” criteria to that of “Public VPN” usage.

Can things be made safer for Public VPNs the answer to that is very much “Yes”, but will it happen, the answer is pretty much “No”.

Just remember even watching “broadcast television” from another country is probably transgressing legal restrictions that could have civil or criminal penalties (they certainly do in the UK).

As the “rent seeking economy” takes over, over riding such restrictions will be seen as “theft” and by lobbying of IP Rights holders will become statute crimes, if they are not already…

It’s why I avoid the use of all VPNs Public or Private except when on “official and legally defendable business”.

Carl Breen May 29, 2025 8:40 AM

@ResearcherZero
It’s nice you cherry picked one part of my comment to base your argument falsely on that and reach the wrong conclusion.

I hope the “information broker” can make a lot of money with gigabytes on me about watching free legal state TV that is geoblocked. Maybe they can inject some ads from my uBlock Origin, so I can block their ads whilst I watch. Which of course wouldn’t work since they cannot inject anything into TLS.

People overestimate the dangers of a VPN and underestimate Android/iPhone, Google Sensorvault, KYC, electronic payments and IMSI/SIM based location tracking vie FOG geofencing.

If I have to worry about my legal VPN use, I am ignoring the elephants in the same room.

Touché.

Anonymous May 29, 2025 8:36 PM

Could someone shine some light on Trust.Zone VPN? The ownership is quite opaque. Possibly European.

arepus May 30, 2025 1:25 AM

You make it sound as if there’s something wrong with that. If the danger of a state is inversely proportional to the square of the distance to it, the principle of using the services of a hostile jurisdiction is an essential element of personal security.

ResearcherZero June 5, 2025 2:35 AM

Cheng Lei was jailed for accessing a publicly available document.

‘https://www.abc.net.au/listen/programs/conversations/cheng-lei-china-journalist-detention-episode-two/105360890

Conditions detainees are subjected to are designed to break them.
https://apnews.com/article/cheng-lei-china-australia-journalist-detention-0b4da2c9d6a31b05aeb265e271166a6c

Daily, routine behaviours can lead to imprisonment under extremely harsh conditions.
https://thediplomat.com/2025/03/chinas-system-of-mass-arbitrary-detention/

ResearcherZero June 5, 2025 2:57 AM

There are many flaws in software, amongst certificate authorities and supply chains.

Using a VPN located in foreign country does not mean that your communications cannot be accessed. There are multiple hops in a network from your initial connection through your provider’s equipment and a multitude of means and vulnerabilities at several different levels by which any of the equipment and software from origin to destination is exploited.

There may be opportunities by which this can be experienced for those unlucky enough. The means by which a surveillance state can monitor communications are wide and expansive.

In China peaceful criticism is treated as a security threat. Trump is acting the same.

‘https://www.opb.org/article/2025/04/29/how-trump-is-using-government-power-to-target-his-enemies/

True danger lays with persecuting critics, journalists and stifling free speech.
https://www.nbcnews.com/politics/national-security/former-official-targeted-trump-says-president-trying-silence-critics-rcna204807

Destroying all of America’s natural advantages is perhaps an unwise endeavor.
https://www.theatlantic.com/ideas/archive/2025/05/maga-maoism-trump/682732/

JTC June 15, 2025 1:13 PM

In your summary, you didn’t mention that only free VPNs were investigated. The broader VPN market was not investigated.

As with everything, whenever something is “free,” it simply means you and our data are the price.

Personally, I deal with Proton VPN because I know they are legitimate. They even threatened to leave Switzerland if a bill had passed requiring them to keep records. While they have a legitimately free VPN, I pay extra for more servers and their work.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.