Millions download covert Chinese VPNs

An investigation by the Tech Transparency Project (TTP) has found that millions of Americans have downloaded VPNs that secretly route their internet traffic through Chinese companies, with several linked to a firm previously sanctioned by the US government for ties to China’s military.

The report found that one in five of the top 100 free VPN (Virtual Private Network) apps available in the US App Store during 2024 were surreptitiously owned by Chinese entities. This presents a significant privacy risk, as Chinese national security laws compel companies within its jurisdiction to potentially hand over user data to the government upon request.

Several apps investigated by TTP traced back to Qihoo 360, a cybersecurity giant designated by the US Department of Defense as a “Chinese Military Company.” The US Commerce Department previously sanctioned Qihoo 360 in 2020 on national security grounds.

VPNs are widely used tools designed to mask a user’s IP address, theoretically ensuring private internet browsing. They are popular globally for bypassing government censorship or surveillance and are often perceived as enhancing online security. In the US, free VPNs are frequently downloaded by children and teenagers to access games or social media platforms restricted on school networks.

However, the very nature of a VPN means the provider can access all internet traffic routed through its servers. When the provider is a Chinese company, this risk is amplified significantly.

China’s National Intelligence Law of 2017 mandates that organisations and individuals cooperate with state intelligence efforts. Guidance from the US Department of Homeland Security explicitly notes this means Chinese intelligence agencies could demand access to data held by Chinese firms, even compelling the creation of software backdoors.

Identifying these Chinese-owned VPNs is challenging for the average user. TTP found ownership structures were often deliberately obscured, hidden behind complex layers of offshore shell companies. By piecing together corporate documents from various global jurisdictions, TTP identified 20 VPN apps offered to US users whose Chinese ownership was not clearly disclosed.

According to data sourced from mobile apps market intelligence firm AppMagic, these 20 apps alone have accumulated over 70 million downloads from US app stores.

One Chinese-owned VPN advertised on Facebook and Instagram targeted users as young as 13. Others ran campaigns aimed at Americans concerned about the potential US ban on TikTok, another Chinese-owned app facing scrutiny over data privacy concerns.

While lawmakers have focused heavily on TikTok, TTP suggests this broader category of VPN apps – which could expose American internet traffic directly to Chinese authorities – has received insufficient attention.

These findings cast a shadow over Apple’s heavily marketed reputation for prioritising user privacy and security. Apple has consistently argued against antitrust measures aimed at opening up its App Store, claiming such moves would compromise user safety. Yet, TTP’s research suggests Apple’s current vetting processes may be inadequate in determining the true ownership of apps and their data handling practices.

Notably, over a dozen of these Chinese-linked VPNs were also available in Apple’s French App Store in late February 2025, indicating the issue extends beyond the US.

Apple’s own guidelines for developers state that apps offering VPN services “may not sell, use, or disclose to third parties any data for any purpose.” How Apple reconciles this policy with hosting apps legally obligated to share data with Chinese authorities remains unclear.

Tracing the ownership: The Qihoo 360 connection

TTP’s investigation delved into specific apps, starting with Turbo VPN (ranked 13th most popular free VPN). Its listed developer, Innovative Connecting Pte. Ltd., is registered in Singapore. Singaporean records show its shareholder is Lemon Seed Technology Ltd., based in the Cayman Islands.

Chinese cybersecurity firm Qihoo 360 disclosed in a 2019 annual report that it had acquired Lemon Seed and two related companies (Lemon Clove Pte. Ltd. and Autumn Breeze Pte. Ltd.) for “$69.4 million and an intangible asset.”

This established Qihoo 360’s ownership of the developer behind Turbo VPN. This acquisition occurred before Qihoo 360 was sanctioned by the US Commerce Department in June 2020 due to the “significant risk” of its involvement in procuring technology for China’s military. Qihoo 360’s clients reportedly included the People’s Liberation Army and numerous Chinese government ministries.

Further investigation revealed Innovative Connecting is linked to other top VPNs, including VPN Proxy Master (ranked 12th) and Thunder VPN (ranked 60th).

Whilst Qihoo 360 reported selling “Project L” – seemingly the app-related companies – to unnamed “external parties” in September 2020, shortly after US sanctions were imposed, TTP found evidence suggesting continued links.

Recent corporate filings (March 2025) for Lemon Seed, Lemon Clove, Autumn Breeze, and Innovative Connecting all list Chen Ningyi as a director. A Qihoo patent from 2017 features this name, matching an individual identified by state-run China Daily in 2020 as a general manager at Qihoo 360. This same individual was appointed to the board of a Qihoo subsidiary when it was sold in March 2023, raising questions about ongoing influence.

Chinese VPNs using shells companies

Several other popular VPNs traced back to Hong Kong-based entities, ultimately owned by mainland Chinese individuals or companies. Apps like X-VPN (ranked 4th), VPNIFY (ranked 25th), and the now-removed VPN Bucks (ranked 22nd) listed developers registered in Hong Kong.

TTP’s examination of corporate records revealed these Hong Kong companies were owned by mainland Chinese firms or citizens, connections not apparent from the App Store listings. The US government has previously warned businesses about data risks in Hong Kong due to its evolving national security laws under Beijing’s influence.

Other apps employed different methods of obfuscation.

WireVPN (ranked 23rd) listed a UK-based developer, WEILAI NETWORK TECHNOLOGY CO., LIMITED. However, UK records show its sole director is a Chinese national residing in China who holds over 75% of shares. The company filed as dormant with minimal assets, suggesting a shell operation. Its privacy policy contained language mirroring Chinese government regulations against “harmful information.”

The Tech Transparency Project’s investigation paints a concerning picture: a significant portion of popular free VPNs in mobile app stores have undisclosed ties to China, potentially exposing American users’ data to surveillance under Chinese law.

See also: Alex Leadbeater, GSMA: Security collaboration vital as attack surface grows

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: china, connectivity, cyber security, cybersecurity, government, infosec, privacy, Security, Tech Transparency Project, vpn