Here's a scenario that plays out hundreds of times daily: you search for a legitimate enterprise VPN application, click what appears to be the official download link, and install what you think is a trusted security tool. By the time you realise something went wrong, your credentials have already been stolen and sent to criminals halfway across the world.
This isn't hypothetical. Microsoft disclosed a credential theft campaign in March 2026 attributed to Storm-2561, a threat activity cluster active since May 2025. The gang manipulates search results and pushes malicious websites masquerading as enterprise VPN updates to the top of the list, so when users search for clients like "Pulse VPN download" or "Pulse Secure client," the top results point to spoofed websites.
The sophistication of the attack reveals something uncomfortable about the VPN market itself. If users successfully install legitimate VPN software afterward and the connection works as expected, there are no indications of compromise to the end user, and users are likely to attribute the initial installation failure to technical issues rather than malware.
But here's the uncomfortable truth: even legitimate free VPN services operate on a fundamentally flawed premise. Free VPNs don't have the resources to develop and maintain strong security protocols, leaving users vulnerable to cyber threats. When a service is free, the economics are brutal. Someone has to pay for the servers, the infrastructure, the developers. If you're not paying, you're the product.
A 2024 study found that 88% of free Android VPNs leak user data, highlighting their inability to safeguard internet traffic. In another 2024 test, 20% of free VPNs were flagged as malware by antivirus scanners. These aren't edge cases or outliers. They're the majority.
The revenue model explains everything. Free VPNs often rely on advertising or selling data to make money, with information sent to advertising companies that send targeted and unwanted ads. Some providers go further. Zimperium's analysis found many free VPN apps requested "private entitlements" allowing deep access to a device's operating system, permitting apps to run code, extract sensitive data, or gain device control.
The counterargument deserves a hearing
Sceptics might reasonably ask whether every free VPN is worthless. And there's a legitimate answer: some aren't. Proton VPN's free plan is the only free VPN service with no data limit, no ads and no logs of user activity, with an unlimited free plan that is free forever. A few legitimate, well-respected VPN providers offer free versions of their apps to lure in prospective customers, with Proton VPN standing out in testing. These freemium models work because paid subscribers subsidise the free tier, not because they're mining your data.
That said, these exceptions prove the rule. Not all free VPNs are safe, which is why security experts recommend getting a free version of a reputable paid VPN rather than downloading a VPN advertised as 100 percent free. The distinguishing factor is whether the company has a sustainable business model that doesn't rely on exploiting your data.
On cost, free services also have practical limitations. Among those who pay for VPN services, the median monthly cost is $10, with most plans ranging from $2 to $15 per month. That's less than a coffee subscription. Free VPNs often have limitations such as limited bandwidth, slower speeds, or fewer server locations.
What this means for you
If you're using a free VPN, the honest answer is that you're taking a calculated risk. You're trading privacy for convenience, and betting that the particular service you've chosen isn't harvesting your data. Most of the time, you'd be wrong.
Security professionals recommend enforcing multi-factor authentication on all accounts and making sure to remove users excluded from MFA, require MFA from all devices everywhere, and remind employees not to store workplace credentials in browsers or password vaults secured with personal credentials.
For casual browsing on public Wi-Fi, a good free VPN from a reputable provider (or a paid service you can afford) is genuinely better than nothing. But if you're serious about privacy or security, the maths is simple. Free VPN services can't afford the infrastructure, the security audits, or the principle of not surveilling their users. Paid services can, and increasingly do.
The Storm-2561 campaign isn't a reason to distrust all VPNs. It's a reason to distrust anyone offering security for nothing.