Ultra-popular Hola VPN extension sold your bandwidth for use in a botnet attack


Sometimes a free service isn’t really free and you can end up paying for it in unexpected ways. If you’re running the Chrome extension Hola Better Internet or the Firefox add-on Hola Unblocker, well, that’s exactly what’s happening. What’s more, your payment might be unwitting participation in a botnet, according to one site moderator.

Hola is a very popular virtual private network (VPN) service that routes your traffic through different countries to mask your true location. That way you can defeat regional restrictions to watch the American version of Netflix from Argentina or BBC’s iPlayer from the U.S.

Typically, a VPN service routes your traffic through dedicated servers, but Hola uses the idle resources of its users’ PCs to route traffic. This essentially turns a Hola user’s computer into a VPN server, or a small part of one. If you’re in Nebraska, for example, and Hola is running on your PC, you might help users outside the U.S. watch Hulu.

Under this set-up Hola doesn’t have to pay bandwidth costs for its free users. Instead it passes off the cost to other freeloaders. Paying for bandwidth is probably the largest overhead a VPN company has to deal with. Other companies keep their costs down through advertising or limiting how much bandwidth a customer can use for free every month.

Why this matters: If ever there was an example of why it’s important to read the fine print when you use a free service, Hola is it. To be fair, the company has always disclosed that it puts your idle PC cycles to use. But most users probably notice the service’s promise to unblock certain sites for free and look no further. That’s a problem when a company is using an innovative way to solve a problem. Bottom line: before you jump in, make sure you understand how a service is able to support a free offering.

Oh, Hola no!

Unless you have a limited bandwidth cap, Hola’s approach seems fair enough. You use the bandwidth and IP addresses of others to watch BBC shows, your connection helps people watch NBC. Hola says it only routes traffic through your PC when your machine is completely idle. Your device has to be connected to electricity, have no mouse or keyboard activity, and the PC’s connection must be using Wi-Fi or wired Internet—no cellular.

Hola also offers a premium service for $5 a month that lets you use the service without being a node in its P2P network.

As long as your IP is being used to check out CBS.com and not child porn or some other illicit activity, why not harness the power of the crowd as an efficient alternative?

But Hola also sells its free users’ bandwidth in another service called Luminati. Unlike Hola, Luminati is a VPN network offering bandwidth to anyone who needs to move large amounts of traffic across the Internet. It’s that service which was used to create a botnet to attack a site called 8chan, according to the site’s moderator Frederick Brennan.

Hola founder Ofer Vilenski later confirmed to TorrentFreak that a hacker did indeed use Luminati to attack 8chan. It’s not clear if Hola previously disclosed the Luminati usage to its users, but Hola’s FAQ does explain the Luminati service now.

Vilenski told TorrentFreak that it screens Luminati users before giving them access to the VPN network, but the hacker attacking 8chan was able to slip through. The company says it has taken corrective measures to prevent baddies from using Luminati again.


Even if another hacker never users Luminati for malicious purposes, you probably don’t want your PC resources being used to move network traffic.

There’s a ton of VPN providers out there that rely on servers instead of peer-to-peer networking, and many have a free tier. That said, VPNs are really cheap these days and you can get a year’s worth of service for $30 to $50. 

And if you like the idea of sharing your unused PC cycles with others who need it, check out the Berkeley Open Infrastructure for Network Computing (BOINC) platform. This open source screensaver program won’t get you caught up in a botnet (as far as we know), but you will donate your PC’s processing power to be part of a network furthering scientific research.

Subscribe to the Best of PCWorld Newsletter