UPDATE, 05/29/2015, 02:43 p.m. ET: After analyzing the Hola app, a group of researchers claims to have found evidence that the app isn't just deceiving its users, but it makes them vulnerable to hacking and tracking.
On Saturday, a well-known spammer that goes by the name of "Bui" posted more than a thousand junk posts to a few messaging boards on 8chan, a popular anonymous internet imageboard.
He did it just "to disrupt" and "for kicks," Bui told Motherboard. But he actually ended up taking down the site for a few minutes, thanks to a sort of denial of service attack made of 1,474 nonsense posts, according to the administration of 8chan.
This seemingly minor incident reveals that millions of users of a popular free VPN service called Hola are being sold as exit nodes in a private network, potentially exposing them to having their connections and IP addresses involved in illegal or abusive activities.
Bui's attack was made possible by a paid service called Luminati, which, until recently, was described by its creators as a "larger, faster and more anonymous" version of the anonymizing software Tor, with "millions" of exit nodes.
What Luminati's vague website doesn't say, however, is where these nodes come from. As it turns out, the nodes are actually unwitting users of the popular free VPN service Hola, an app used by millions of people, mostly to skirt geolocation blocks to, for example, watch Netflix abroad. Luminati is owned by Hola Networks.
If you are a user of the free version of Hola, your connection can be sold as an exit node through Luminati.
In practice, if you are a user of the free version of Hola, your connection can be sold as an exit node through Luminati. In other words, your internet connection can be bought and used through Luminati, turning you and other Hola users into a node of what could be described as a voluntary botnet.
This is something that wasn't widely known until 8chan revealed Luminati and Hola had been used to spam and take down the site. And it's also something that Hola's creators never disclosed openly until this week.
"We can provide [Hola] for free since each user is also an exit node for other users," Ofer Vilenski, the co-founder of Hola, told Motherboard on Wednesday.
The lack of transparency in how Hola sold its users connection was evident on its website too.
The FAQ on Hola's site didn't mention Luminati until Wednesday, according to several archived pages of the FAQ. The page was updated after 8chan's accusation got some traction on Reddit and Twitter, and after I reached out to Hola to clarify whether the accusation was true.
"We can provide [Hola] for free since each user is also an exit node for other users."
Vilenski said that the explanation "actually was there in a different form," and pointed to the old FAQ, which said: "if you would like to use Hola for commercial use contact us at firstname.lastname@example.org for a quote."
Yet, Vilenski himself admitted most users are probably not aware of it.
"Are 100 percent of users aware that they are on a peer-to-peer network and what it means?" he told me on the phone. "The answer is no. Not because we're covering it, trying not to show them—because we are telling them about it—but because most of them just don't care, they want a good service, it works well and it doesn't screw them up."
He might be right, most users are probably not aware of how Hola really works.
"What???? Horrible!" a Hola user told me in chat when I asked her whether she was aware of the fact that Hola allows others to use her connection when it's idle, and that her connection can be sold through a separate service. "I had no idea. […] WTF I am deleting it ASAP."
By becoming an exit node for a Tor-like network, Hola users are exposed to the same risks that Tor exit nodes operators are. Their connection can be abused by someone else, by trafficking in child pornography or downloading illegal material, for example. To police authorities, it would look like the innocent Hola user was responsible for those actions, since his or her IP address would be associated with them.
"If it works the way it is explained, it's a terrible idea to use it."
"If it works the way it is explained, it's a terrible idea to use it," Raphael Vinot, a security researcher, told Motherboard. "Because you end up being responsible for what the other users of the service are doing."
In fact, in the case of Tor exit nodes, the Tor Project itself advises against running an exit node at home, given the legal risks. As Motherboard previously reported, Tor exit operators can face police raids and even jail if their nodes are involved in illegal activities.
With Hola and Luminati, millions of users (Vilenski says Hola has 46 millions installs) are exit nodes, likely without realizing it.
Vilenski told me that they don't allow customers of Luminati to do illegal activities, and that Bui's account was suspended after the incident with 8chan.
"We're very, very serious about people not misusing our network," he said, adding that it'd be "stupid" to use the network for criminal activity. (It's worth mentioning that the old FAQ did not say that Hola is a "managed and supervised" network and thus not a good fit for criminals trying to hide their identities.)
"They're essentially selling out their users to try to figure out [how to run a profitable business]."
Yet, when another security researcher posed as a potential customer, a Luminati representative told him that "we simply offer you a proxy platform, what you do with it, is up to you," and that "we have no idea what you are doing on our platform," according to chat logs provided by the researcher, who wishes to remain anonymous, to Motherboard.
At the same time, the Luminati website now doesn't describe the service as "the world's largest anonymity network" anymore, as it did on Tuesday. Now, it's a "VPN network" and the words "anonymous" or "anonymity" have disappeared from the site.
"The bottom line is they're trying to figure out how to run a profitable business," Adam Fisk, the founder of Lantern, an app that allows people to become proxies for internet users in countries where there's online censorship, told Motherboard. "And they're essentially selling out their users to try to figure that out."
Vinot, the security expert, described it as "an interesting business model."
"Honestly," he said, "that level of trickiness is art."
This story has been amended. A previous version of this story described Luminati as an "unwitting botnet," but it can be more accurately described as a "voluntary botnet."