An increasing popularity of VPN technology gave rise to an avalanche of scams, which come in all sizes, flavors, and different degrees of audacity.

Experienced VPN users and privacy wonks know a thing or two about how to research a VPN provider. If you’re just beginning your search, however, brace yourself, for it won’t be easy. The VPN market is a toxic mix of paid reviews, click baits, vague legalese, and nefarious surveillance. At the same time, a Virtual Private Network is a mandatory tool for online privacy and security.

Among hundreds of VPNs, how does one choose the right one? Reading reviews is one route, but you still need to test a few select VPNs to ensure at least one of them meets your requirements. And even if the tech specs look good and performance is okay, a VPN can still leak your IP address, log your online activities top to bottom, infect your devices with malware, and sell your data to ad agencies, NSA, or some sinister entity on the dark web.

Most VPNs’ selling points are privacy, security, unblocked streaming services, and the ability to bypass a firewall, that of your school, office, or the great firewall of China. The bad news is that 99.9% of VPNs promise privacy, security, Netflix, and no-stress firewall evasion. To single out trustworthy providers from scammers, pay your due diligence before subscribing. Below are some red flags that should help you identify a bad provider.

A bad VPN keeps logs

Whereas double-checking if a VPN can unblock Netflix is quite simple, providers’ claims of privacy and security aren’t so easy to verify. You need to scrutinize the fine print of company’s Terms of Service and Privacy Policies, paying special attention to logging policies.

Why is logging so important? Ask Cody Kretsinger how he landed a jail term thanks to HideMyAss, aka HMA, logging. Since HMA is under UK jurisdiction and logs users’ IP addresses and connection timestamps, a UK court was able to obtain user-specific logs on the said individual and connect him to a number of crimes.

The rule of thumb – choose a provider that keeps no logs. This is not to say only criminals need a zero-logs provider. If a VPN company advertises privacy and security while violating your trust and logging your connection and activity data, or filtering your content, then their claims are nothing but clickbait.

A bad VPN discloses your data

This one stems directly from a VPN’s logging policies. Providers that log your activities most likely cooperate with patent trolls and surveillance agencies. Pay close attention to a company’s jurisdiction. If it is headquartered in the Five Eyes or the Fourteen Eyes countries, it’s subject to data retention laws. That is why U.S. and U.K.-based VPNs are generally not recommended by privacy-protection organizations and security experts.

Trustworthy VPNs go out of their way to be transparent in their legal pages and to not log any data that could identify their customers. Reliable VPNs delete your connection logs every few hours or only log non-personally identifiable details that can not point to a specific user.

Likewise, to protect their users’ identities, trustworthy VPNs accept a variety of anonymous or semi-anonymous payment options, including cash, gift cards, and Bitcoin.

A bad VPN infects your devices with malware

Some providers offer free VPN services in exchange for displaying ads. What they won’t tell you is their apps and the ads they display come chock-full of tracking capabilities that enable monitoring and logging of your browsing activities.

At the same time, some malicious providers take it a step further by infecting your devices with malware sending critical information about your device, identity, and usage to its servers.

The catch with most free VPNs is they thrive on trading your data to data brokers, ad agencies, NSA, you name it. If you use a malware-infested VPN, your traffic gets logged, filtered, censored, and reported. You are served with affiliate content instead of the content you really need. Finally, your devices become more vulnerable to opportunist and targeted hacker attacks.

A bad VPN doesn’t work

VPN scam schemes are numerous. Hijacking a website of a discontinued service and harvesting first-time subscriptions from new users only to ignore their refund requests is one of them.

To avoid this type of VPN fraud, you need to research a provider’s social accounts and contact their customer service before paying your first invoice.

A bad VPN doesn’t respect its refund policy

Some providers forge their subscription tiers to make short-term plans overpriced, making their long-term subscriptions look like a bargain. That is a cringe-worthy practice in itself, but some VPNs take it a step further. They advertise a money-back guarantee, but when requested a refund, they take their time answering user requests, asking stupid questions, not terminating your account, and then saying your 7-day money-back window is over. Others just ignore PayPal dispute emails.

The good news is I did the legwork for you by testing a wealth of VPNs and compiled a list of companies that are either scams or just bad at what they do. Avoid these like the plague.

1. ExpatSurfer

ExpatSurfer is the epitome of a VPN scam. It acts like it is hijacked, and it’d better be. Because if it’s not, the grotesque incompetence it displayed in my time with it lands it in a very bad spot.ExpatSurfer takes your money and then forgets all about you. It doesn’t provide the server address you need to set up its PPTP connection, and it doesn’t bother to respond to your emails.

Considering it’s not cheap at $10.26 per month for a mere PPTP connection that doesn’t work, you are strongly advised to black-list the provider.

2. Earth VPN

Earth VPN is a Cyprus-based provider that used to be popular. While advertising all the bells and whistles you might be looking for in a VPN – OpenVPN, P2P, unlimited data, affordable plans – it just doesn’t work.

The service has been dropped, but here is the funny thing – you can still subscribe. Although I was lucky enough to not proceed to the checkout, six months later I keep receiving notifications of my outstanding invoices with EarthVPN. They keep renewing each month all by themselves. No human ever responded to my inquiries, but someone at EarthVPN took the trouble to close my tickets without responding.

Unless you entertain the idea of receiving spam in your inbox for months on end from EarthVPN’s automatic system, steer well clear of this ghost company. Let it sink into oblivion.

3. Betternet VPN

Betternet VPN is the classic of VPN scams. Offering free VPN services spreads malware. Considering it’s been downloaded millions of times, quite a few people feed their browsing activity to shady data brokers.

RevoUninstaller found a gazillion of leftover files after Betternet’s Windows app, while Virus Total AV rated it 13, with 1 being virus-free. The company is super-shady about the technical specs of its VPN. It also claims to keep zero logs while, in reality, they do store connection logs. A crowd of third parties accesses your data and Betternet won’t cover your back if law enforcement or a patent troll comes knocking on their door.

4. Onavo Protect

Onavo Protect, aka Protect Free VPN+Data Manager, is a free VPN by Facebook itself. It’s a mobile app available for iOS and Android, and it requires extensive permissions to run. Instead of acting like your typical VPN, Onavo Protect accesses and logs your app activity. You heard it right – Facebook wants to know which apps you use and how often, and route them through its UK servers.

It runs in the background, sifting through all your traffic, so good luck finding that online privacy because if you use Facebook’s VPN, privacy is dead.

5. Cryptostorm VPN

Cryptostorm VPN could actually be a provider I’d recommend because it has some pretty strong features. It anonymizes your purchase by generating a user token, so you never use your email or username to access its VPN. It has a decent network, top-notch security specs, a flexible pricing structure, pretty good performance, and good usability.

Except for it’s most likely an FBI honeypot. Case in point – Douglas Spink, Cryptostorm’s owner and a convicted zoophile, who got busted smuggling $34 million worth of cocaine and released after having served only three years out of a 17-year sentence. The security community believes the grace has befallen Spink after he agreed to give the FBI a backdoor to Cryptostorm VPN servers.

In the meantime, Cryptostorm refuses to comment on the Spink matter, or shed some light on how the company complies with Canadian data retention laws. The tale of a decentralized company with anonymous people running it just doesn’t make the cut.

6. has been around for more than five years, generating a steady flow of downloads on Google Play, which makes it look like something that works. In reality, it’s a dysfunctional VPN backed by non-existent support. Its social pages haven’ t been updated in years. For some reason, Google doesn’t remove the long-dropped app with numerous poor reviews from its app store. Hey Google, don’t be evil, remember?

7. Liberty VPN

Liberty VPN might look like something thanks to its ability to unblock streaming services, but its surprisingly shady origins (most likely American) and ungodly Terms of Service make me wonder how they manage to stay in the business this long. Their refund policy is incredibly limited since you can’t consume more than 50MB while their plans are above-average at $15 a month or $108 a year.

Its VPN is convoluted and difficult to use, and the server locations are few. No P2P, no bypassing firewalls, no using Skype from Cuba, no simultaneous connections, no Bitcoin. But you may get filtered, censored, and turned in to law enforcement. Moreover, if you violate their ToS, the company will charge you at a rate of $250/hour for deleting your account. That, ladies and gentlemen, is how you make money.

Unfortunately, the hall of shame for the worst VPNs is significantly longer than my typical honorable mentions for the best providers:

  • VPN Reactor is a well-established American provider that logs your online activities and has the nerve to charge you $77.88 a year for it.
  • is yet another mobile VPN claiming to be the best free VPN, but in reality, it’s dysfunctional, shady, and mute. It is unclear who or what is behind it, and its ToS make it clear they can enable activity monitoring if compelled. It won’t even let you register a free account, which is for the best.
  • Hotspot Shield VPN is another free VPN monetizing customer data. It logs your activities, plants tracking libraries in your devices, and ads JavaScript injection into your web pages. It shares your data with third parties, sells it to data brokers, and complies with U.S. data retention laws.
  • Rocket VPN is a free mobile VPN powered by the above HotSpot Shield. It is no wonder then that Rocket VPN comes packed with abhorrent logging policies, adware, and shady ToS.
  • DefenceVPN is a young Canadian provider that can’t pull itself out of long-lasting outages. It’s been repeatedly down in 2017 while in 2018 it popped up for a short while saying things were back to normal. I wonder what normal is in their terms because when I paid for a plan and received no login details, their support issued a refund in response to my request for… login details. That’s the kind of normal I call bizarre.
  • DotVPN might be based in Hong Kong and offer 4096-bit encryption, but its poor performance, roots in Germany, the Five Eyes watchdog, connection and usage logs, and the fact that they keep those logs for two years make it a proposition you are better off skipping.
  • HideMyAss from AVG is a UK-based provider that logs your connection metadata and hands it right over to Scotland Yard. Some people are already serving their jail terms thanks to HMA.
  • SuperVPN for iOS and Android is a free and pretty functional mobile VPN, except it has all the red flags of an MI5 honeypot. Having extensive access to your sensitive information, it stores your session logs in the UK and the USA and will disclose it to law enforcement if compelled.
  • BTGuard logs your personal information and connection metadata, has vague privacy policies, and doesn’t like to draw much attention to its US jurisdiction while catering to torrenters primarily.
  • Cargo VPN is a pretentious VPN that makes many false claims. Its free trial is unavailable while its ungodly support is that of KeepSolid, a different provider. It’s also Mac and iOS-exclusive, overpriced, and lackluster.

This list is by far not complete. New VPNs pop up nearly every day, while old ones get dropped or discontinued, with opportunist scammers hijacking their websites. Some popular VPNs with pretty high ratings have dysfunctional features or treat their customers like garbage.

Don’t get too excited if you don’t find your VPN on this list. Do your research first. Contact your provider’s support, ask your tech community, or leave a comment in the section below if you suspect you might be a victim of a VPN fraud scheme.

Finally, don’t rely too much on a VPN to protect you from law enforcement. Even though it’s best if law enforcement has no business looking you up at all, in some situations you can’t help it. Investigative journalists, human rights activists, and anyone out of sync with the mainstream ideology of many civilized countries can be targeted by surveillance entities.

If that’s the case, don’t hop on a free VPN bandwagon, but take your time to find a trustworthy and reliable provider. Providers like ProtonVPN, Mullvad, or NordVPN accept Bitcoin and even cash payments, which means you can protect your identity when subscribing, and keep no logs whatsoever.

For a complete breakdown of important VPN features of trustworthy providers, please read my VPN Guide for Beginners.

If you’ve read this far, you probably know by now why no VPN is better than a bad VPN. Steer clear of shady companies and always test VPN services before subscribing to anything that’s longer than a month.