Executive Summary
Recent news coverage and security research have highlighted serious dangers with free VPN services, particularly their use in building massive botnets and residential proxy networks. The most notable case—the 911 S5 botnet—infected 19 million devices worldwide through free VPN apps. Tailscale operates on a fundamentally different model and does not share these vulnerabilities.
The Problem: Free VPNs as Attack Vectors
The 911 S5 Botnet (Dismantled May 2024)
The FBI dismantled what they called "likely the world's largest botnet ever":
- Scale: 19 million unique IP addresses across 190+ countries (613,841 in the US alone)
- Operation period: 2014–2022, resurfaced as "CloudRouter"
- Revenue: Operators earned approximately $99 million
- Victim losses: Billions of dollars, including $5.9 billion in fraudulent unemployment claims
How it worked:
- Users downloaded "free VPN" apps: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, ShineVPN
- The apps functioned as advertised (providing VPN service)
- Secretly, users' devices became proxy nodes in a criminal network
- Cybercriminals paid to route traffic through victims' home IP addresses
- Crimes committed appeared to originate from victims' homes
YunHe Wang, a 35-year-old Chinese national, was arrested in Singapore and faces up to 65 years in prison.
Sources:
Ongoing Threats in 2025
The problem hasn't gone away:
- Aisuru botnet (November 2025): Shifted from DDoS attacks to residential proxy services, infecting IoT devices
- Malicious Chrome extensions: A dangerous free VPN extension returned to Chrome Store with 31K+ installs after previous removal
- Mobile app risks: 88% of top 100 free Android VPNs leak user data; 39% predicted to contain malware by end of 2025
- Google Play infections: 18+ malicious VPN apps discovered using ProxyLib and LumiApps SDK to turn devices into proxies
Sources:
- Krebs on Security - Aisuru Botnet
- TechRadar - Malicious VPN Extension
- Zimperium - Mobile VPN Dangers
Why Free VPNs Are Dangerous
The Business Model Problem
Running a VPN service is expensive:
- Global server infrastructure
- Bandwidth costs for encrypted traffic
- Development and maintenance
If you're not paying, you're the product. Free VPNs monetize through:
- Selling your bandwidth - Your device becomes a proxy exit node
- Logging and selling data - Browsing history, personal information sold to advertisers
- Injecting ads - Inserting advertisements into your browsing
- Installing malware - Bundling spyware, cryptominers, or botnet agents
Specific Risks
| Risk | Description |
|---|---|
| Botnet enrollment | Device becomes part of criminal proxy network |
| Data logging | Activity tracked and sold despite "no-log" claims |
| IP/DNS leaks | 88% of free VPNs leak data that should be protected |
| Malware | 20% flagged as malware by antivirus scanners |
| Legal liability | Crimes routed through your IP appear to be yours |
| Browser hijacking | Search results altered, redirected to malicious sites |
How Tailscale Is Different
Fundamental Architecture Differences
| Aspect | Traditional/Free VPN | Tailscale |
|---|---|---|
| Model | Hub-and-spoke (all traffic through central server) | Peer-to-peer mesh network |
| Traffic routing | Provider sees all traffic | Direct device-to-device; Tailscale cannot see traffic |
| Business model | Often monetizes user data | Paid tiers; enterprise focus |
| Purpose | Route all internet traffic through provider | Connect YOUR devices to each other |
| Keys | Provider manages/may access keys | Private keys never leave your devices |
Tailscale Technical Architecture
Built on WireGuard: Tailscale uses WireGuard, a modern, audited encryption protocol with a minimal attack surface (~4,000 lines of code vs. 100,000+ for OpenVPN).
Key Management:
- Each device generates its own public/private key pair
- Private keys NEVER leave the device
- Tailscale's coordination server only sees public keys
- Even Tailscale cannot decrypt your traffic
Coordination Server (login.tailscale.com):
- Acts as a "public key dropbox"
- Facilitates device discovery and NAT traversal
- Does NOT route your traffic
- Cannot inspect your communications
Direct Connections:
- Devices connect directly to each other when possible
- DERP relay servers used only when direct connection fails
- Relay traffic is still end-to-end encrypted (Tailscale can't read it)
Why Tailscale Doesn't Have These Risks
- No traffic inspection possible: End-to-end encryption with keys only on your devices
- Not routing internet traffic: Tailscale connects your devices; it's not an internet anonymizer
- Paid business model: Revenue from subscriptions and enterprise, not data harvesting
- Open source: Core code is public and auditable (GitHub)
- Identity-based auth: Uses your existing SSO (Google, Microsoft, etc.) - no password databases to breach
- Zero-trust by design: Default-deny ACLs, continuous verification
What Tailscale IS vs. ISN'T
Tailscale IS:
- A way to securely connect your own devices across networks
- A mesh VPN for accessing your home server, work resources, etc.
- A zero-trust network overlay
Tailscale IS NOT:
- A service to hide your internet activity from your ISP
- An anonymity tool like Tor
- A way to appear in a different geographic location
- A consumer VPN for streaming geo-blocked content
Your Specific Use Case
You mentioned using Tailscale to connect to a home server. This is an ideal use case:
- Your traffic: Encrypted between your devices, unreadable by Tailscale
- Your keys: Stay on your devices
- Your data: Routes directly to your home server (or via encrypted relay if needed)
- Risk profile: Completely different from free VPN concerns
The free VPN dangers are about:
- Malicious providers harvesting data
- Devices being enrolled in botnets
- Traffic being logged and sold
None of these apply to Tailscale because:
- Your traffic doesn't go through Tailscale's infrastructure in a readable form
- Tailscale has no mechanism to use your device as a proxy for others
- The business model is subscriptions, not data monetization
Recommendations
For Tailscale Users
- Continue using Tailscale - The architecture fundamentally differs from dangerous free VPNs
- Configure ACLs - Use access control lists for additional security between nodes
- Review connected devices - Periodically audit your tailnet for unauthorized devices
- Enable MFA - Ensure your SSO provider has strong authentication
For Anyone Using VPNs
- Avoid free VPNs - The risks far outweigh the savings
- If you need a consumer VPN: Use reputable paid services (NordVPN, ExpressVPN, ProtonVPN) with third-party audits
- Check for malware: If you've used free VPNs, scan for MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, ShineVPN
- Understand your threat model: Do you need internet anonymity, or device connectivity?
Key Takeaways
| Free VPN Services | Tailscale |
|---|---|
| Route all traffic through provider | Peer-to-peer; traffic doesn't go through Tailscale |
| Provider can see/log traffic | End-to-end encrypted; keys on device only |
| Often monetize user data | Subscription/enterprise revenue model |
| Risk of botnet enrollment | No mechanism to proxy others' traffic |
| May leak IP/DNS | WireGuard protocol; minimal attack surface |
| Designed to anonymize internet use | Designed to connect your own devices |
Bottom line: The free VPN concerns making headlines are about malicious services that exploit users. Tailscale's architecture makes these attacks impossible—your private keys never leave your devices, and Tailscale cannot see your traffic even if they wanted to.
Sources
- DOJ: 911 S5 Botnet Dismantled
- Krebs on Security: Is Your Computer Part of 'The Largest Botnet Ever?'
- Kaspersky: Hidden Dangers of Free VPN Services
- Tailscale: How Tailscale Works
- Tailscale: About WireGuard
- UpGuard: VPN Security Concerns in 2025
- Zimperium: Insecure Mobile VPNs
- Krebs on Security: Aisuru Botnet Shifts to Residential Proxies