Hola VPN is quietly selling your internet bandwidth to become a botnet for cybercriminals

Israel-based free virtual private network (VPN) service Hola is quietly hijacking and selling its users' internet bandwidths so cybercriminals can use them in botnets for cyberattacks, according to accusations by a popular online forum.

Fredrick Brennan is the founder of anonymous internet imageboard 8chan. He claims internet traffic spotted on his site's website came from Hola users and has been used to launch distributed denial of service (DDoS) cyberattacks against his website, taking it briefly offline. He also claims the culprit responsible posted on 8chan to brag about how they used Hola's premium VPN service Luminati to do it.

For those of us who don't live in the US but want access to content on Netflix that isn't available abroad, the free VPN Hola, which now has over 46 million users, seems like a dream come true.

All users have to do is pay for a Netflix account either in their own country or the US and install the free Hola web browser plugin, which tricks Netflix into thinking they are accessing the service in North America.

Hola has nine million IP addresses at its disposal to sell

"When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP. This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this," Brennan told TorrentFreak.

"Hola has gotten greedy. They recently [in late 2014] realised that they basically have a nine million IP strong botnet on their hands, and they began selling access to this botnet [right now, for HTTP requests only] at https://luminati.io."

However, Hola says that when users install the service and sign up for an account, they agree to terms and conditions stating openly that the company can utilise the user's IP address and sell the internet connection on Luminati for $5 (£3.30) a month to any company or individual that wants it.

Nowhere in Hola's FAQ was Luminati mentioned until Wednesday (27 May), when Brennan revealed the attack on Reddit and Twitter, and Motherboard Vice contacted Hola about it.

Neither Hola nor Luminati's websites bear any reference to each other and are designed to look like two separate entities.

You're basically voluntarily part of a huge botnet

Put simply, this means that while your computer is sitting idle, someone paying for the Luminati VPN is using your IP address and as much of your bandwidth as they want to carry their internet traffic. What is more, you are the exit node, so to the police or anyone who checks, it looks as if the traffic originated from you.

So essentially by using Hola, you are part of a huge peer-to-peer network and are basically voluntarily part of a botnet.

"We have always made it clear that Hola is built for the user and with the user in mind. We've explained the technical aspects of it in our FAQ and have always advertised in our FAQ the ability to pay for non-commercial use," Hola founder Ofer Vilenski told TorrentFreak.

"If 8chan was harmed, then a reasonable course of action would be to obtain a court order for information and we can release the contact information of this user so that they can further pursue the damages with him."

Perhaps it's time to stop using Hola and just pony up the cash to use a paid VPN service.