Citizen Lab Reports Hidden VPN Networks Sharing Ownership and Security Flaws

Citizen Lab’s new report, Hidden Links, uncovers a network of VPN providers like Turbo VPN and VPN Monster that are controlled by a single company and use dangerous security practices, including hard-coded passwords and weak encryption.

A new research paper titled “Hidden Links: Analyzing Secret Families of VPN Apps” has exposed how some popular Virtual Private Network (VPN) providers intentionally hide their true ownership and share security flaws.

The paper was co-authored by Benjamin Mixon-Baca, Jeffrey Knockel, and Jedidiah Crandall and published by Citizen Lab. Their study involved a deep analysis of apps from the Google Play Store, looking at everything from code similarities and network communications to business filings.

Researchers identified three families of VPNs that are secretly operated by the same entity. The most notable group includes Innovative Connecting, Autumn Breeze, and Lemon Clove, which have over 700 million downloads combined.

These companies distribute apps such as Turbo VPN, VPN Monster, and Snap VPN, and are linked to a Chinese national security firm, Qihoo 360, which has been sanctioned by the US government.

It is worth noting that Turbo VPN and Snap VPN were also named in the Tech Transparency Project’s June 2025 report, which cited national security concerns related to the possibility of these VPNs transferring US data to China.

A second family of providers, with over 380 million downloads, included MATRIX MOBILE PTE LTD and ForeRaya Technology Limited. A third family included Fast Potato Pte. Ltd and Free Connected Limited.

Further probing revealed that many of these VPNs use a specific technology called Shadowsocks, which was originally created to bypass internet censorship in China, not to provide privacy. The apps used outdated and unsafe methods for encryption, making them easier to hack. Some apps were also caught collecting a user’s location and sending it to a server, even though their privacy policies promised they wouldn’t.

Another key finding (PDF)was that these apps share not only code but also serious security vulnerabilities. For example, two of the families used a single, hard-coded password for their VPN apps. For your information, a hard-coded password is a secret key permanently built into an app, which means it’s the same for every single user. This allows anyone who discovers the password to decrypt the traffic of all users of that app, making their private information visible to eavesdroppers.

Researchers were able to use these shared passwords to confirm that different-looking VPN services were actually sharing the same servers. They also noted three other apps from VPN Super Inc., Miczon LLC, and Secure Signal Inc. that did not appear to have these hidden links.

Nonetheless, the shared security flaws mean that if one app in a family is vulnerable, so are all the others. These findings highlight that what appear to be distinct VPN apps are often part of a single, malicious network, putting millions of users at risk.

This is why it’s so important for users to know who is really behind their VPN service. The study emphasizes the critical need for transparency from VPN providers and calls on app stores like Google Play to improve how they verify the identity of app developers and audit app security.