Cybersecurity experts NymVPN are warning UK consumers to be cautious of many popular virtual private network (VPN) apps, after a new report by academics at Arizona State University, Citizen Lab (University of Toronto), and Bowdoin College revealed that many of the world’s most downloaded VPN apps are secretly controlled by just a handful of companies, many with direct links to China.
The report – “Hidden Links: Analyzing Secret Families of VPN Apps” – found that what looks like a crowded marketplace of independent VPN providers is actually dominated by just a few opaque “families” of operators. Together, these hidden owners account for over 700 million downloads on Google Play, channeling huge volumes of private internet traffic through companies with unclear origins and potentially risky associations.
In numerous cases, apps were traced back to Qihoo 360, a Chinese cybersecurity firm sanctioned by the U.S. government for its ties to the People’s Liberation Army (PLA). Others presented themselves as being based in Singapore or Hong Kong, but in reality these were front companies or smokescreens for Chinese ownership and control.
Researchers found that these providers often shared the same code, servers, and even hard-coded encryption keys – making it clear that the “choice” of VPNs is far narrower, and far less transparent, than consumers are led to believe.
At least one family of apps routed all users through servers secured with a single password, making it trivially easy for attackers to decrypt every user’s traffic.
According to NymVPN, the findings illustrate a critical failure of the traditional VPN model – one that asks users to place blind trust in services whose corporate backers and infrastructure remain hidden.
“There are two problems,” Harry Halpin, CEO of Nym commented. “The first is centralisation. Most VPNs on the market route your traffic through a single server. This means that the VPN company can potentially see and keep records of all your online activity. This is blind trust, not privacy. The second issue is that the many ‘free’ VPNs being used by people are in fact software designed to surveil and collect your data so that it can be sold, or worse, handed over to governments.”
The UK is one of the world’s most active VPN markets, with millions relying on apps to protect privacy, secure online banking, and access streaming services. Demand has surged even further in 2025, following the introduction of mandatory age-verification rules for online content, which drove a sharp spike in downloads as users sought to bypass intrusive checks.
But this new research shows that many of the “top-ranked” VPNs on Google Play are neither independent nor transparent. In fact, like many centralised and free VPNs, they are likely actively undermining people’s privacy.
Several of the VPN apps exposed in the Hidden Links report are not only linked to hidden ownership structures but are also among the most widely used in the UK. Turbo VPN, with more than 100 million global downloads, remains one of the most popular choices across UK app stores. Snap VPN, with over 50 million installs on Google Play, is also heavily used by UK consumers, while VPN Proxy Master regularly appears among the top free VPN apps in the UK.
The popularity of these services is significant because all three belong to the hidden “families” identified in the research, sharing ownership ties, infrastructure, and even encryption credentials. For UK consumers, the warning is clear: downloading a free or unverified VPN could mean handing your private data to companies with undisclosed links to foreign governments or shadowy investors – the very opposite of the protection people expect when they turn to a VPN.
The following table shows some of the top VPN Apps in the UK Google Play Store, that featured in the report, and their true owners.
| VPN App (UK Google Play Popularity) | Claimed Publisher | Linked Family (in Report) / Owner | Global Installs (Google Play) | Free or paid VPN App | Notes |
| Turbo VPN | Innovative Connecting (Singapore) | Family A – Qihoo 360 (China) | 100M+ | free tier with optional paid upgrade | Linked to PLA sanctioned firm |
| VPN Proxy Master | Lemon Clove / Autumn Breeze | Family A – Qihoo 360 | 100M+ | free tier with optional paid upgrade | Shared code & infrastructure |
| Snap VPN | Autumn Breeze | Family A – Qihoo 360 | 10M+ | free tier with optional paid upgrade | Uses hard-coded keys |
| XY VPN | Matrix Mobile PTE Ltd (Singapore) | Family B – Singapore -linked | 10M+ | free tier with optional paid upgrade | Policy overlaps with Family A |
| Super Z VPN | ForeRaya Technology Ltd | Family B | 5M+ | free tier with optional paid upgrade | Shared infrastructure with XY |
| Melon VPN | Wildlook Tech PTE Ltd | Family B | 10M+ | free tier with optional paid upgrade | Popular free option in UK |
| X-VPN | Free Connected Ltd (Hong Kong) | Family C – Hong Kong-based | 50M+ | free tier with optional paid upgrade | Obscured ownership, custom protocol |
| Fast Potato VPN | Fast Potato PTE Ltd | Family C | 1M+ | Uses same server infrastructure |
Harry Halpin comments: “Consumers assume that all VPNs are created equal, but in reality many are owned and operated by the same opaque entities – some with links to regimes known for surveillance. That’s not privacy. It’s a mirror-image of the problem people buy VPNs to solve.
“We designed NymVPN, the world’s most private VPN, to work differently from traditional VPNs. Instead of sending your internet traffic through one company’s servers, our system scatters it across several routes, so no single place – not even us – can see both who you are and what you’re doing online. It means your privacy isn’t based on trust, it’s built into the technology itself. That’s the level of protection everyone should expect in 2025.”
NymVPN’s top tips for choosing a safe and trustworthy VPN
- Check who owns it – A safe VPN should be clear about who runs it. If the company hides behind shell businesses or vague addresses, that’s a red flag.
- Look for independent audits – Trustworthy providers let outside security experts test their systems and publish the results. It’s proof they have nothing to hide.
- Be cautious of “free” VPNs – Running a VPN costs money. If you’re not paying for it, there’s a good chance the service is making money by selling your data.
- Choose the right jurisdiction – Pick VPNs based in countries with strong privacy protections. Avoid those linked to regions known for surveillance or censorship.
- Choose decentralised tech over centralised infrastructures – The safest VPNs use modern privacy tools (like decentralised networks or mixnets) that make it impossible for anyone to see what you do online.
