An investigation by the Tech Transparency Project (TTP) has revealed that millions of Americans have downloaded VPN apps that covertly route internet traffic through companies tied to China, including several connected to a firm previously sanctioned by the U.S. government for links to China’s military.
TTP found that one in five of the top 100 free VPN apps available in the U.S. App Store in 2024 were ultimately owned by Chinese entities. That ownership creates a serious privacy concern because Chinese national intelligence laws can require companies under Chinese jurisdiction to provide user data to state agencies.
Several apps in the investigation trace back to Qihoo 360, a major Chinese cybersecurity firm that the U.S. Department of Defense has described as a “Chinese Military Company.” The U.S. Commerce Department sanctioned Qihoo 360 in 2020 on national security grounds.
VPNs are commonly used to mask a user’s IP address and are widely viewed as tools for private browsing, bypassing censorship, and shielding traffic from local network monitoring. In the United States, free VPNs are often installed by children and teenagers attempting to access games or social platforms blocked by school networks.
However, because VPN providers route all internet traffic through their servers, they can see and potentially log the data they forward. When the provider is controlled by a company in China, the legal environment amplifies the risk that data could be accessed by state authorities.
China’s National Intelligence Law of 2017 mandates that organizations and individuals cooperate with state intelligence efforts. The U.S. Department of Homeland Security has warned that this legal framework allows Chinese intelligence agencies to demand data from Chinese firms and could compel companies to build software backdoors or provide access to sensitive information.
Identifying VPNs with Chinese ownership can be difficult for the average user. TTP found that ownership was often obscured through layered corporate structures and offshore shell companies. By analyzing corporate filings across jurisdictions, TTP identified 20 VPN apps available to U.S. users whose ties to Chinese ownership were not clearly disclosed in app listings.
App market intelligence from AppMagic indicates those 20 apps alone have logged more than 70 million downloads in U.S. app stores.
TTP found instances where a Chinese-owned VPN advertised on Facebook and Instagram targeted users as young as 13. Other apps ran campaigns aimed at Americans worried about a possible U.S. ban on TikTok, highlighting how these VPNs marketed themselves to specific concerns among U.S. users.
While policymakers have concentrated on TikTok, TTP argues that broader scrutiny is needed for VPN apps, which could directly expose Americans’ internet traffic to Chinese authorities if those providers are subject to Chinese law.
These revelations raise questions about Apple’s App Store vetting. Apple has positioned itself as a protector of user privacy and has resisted measures that would alter App Store policies, citing security concerns. TTP’s findings suggest app review processes may miss opaque ownership structures and fail to fully assess how apps handle user data.
TTP also reported that more than a dozen of the Chinese-linked VPNs were available in Apple’s French App Store as of late February 2025, indicating the issue is not limited to the United States.
Apple’s developer guidelines state that apps offering VPN services “may not sell, use, or disclose to third parties any data for any purpose.” How Apple enforces that policy when apps are run by companies that may be legally compelled to share data under foreign laws is unclear.
Tracing the ownership: The Qihoo 360 connection
TTP’s probe examined specific apps, beginning with Turbo VPN, ranked among the most popular free VPNs. The app lists its developer as Innovative Connecting Pte. Ltd., registered in Singapore. Singapore company records list Lemon Seed Technology Ltd., a Cayman Islands entity, as a shareholder.
A 2019 annual report from Qihoo 360 disclosed the acquisition of Lemon Seed and two related companies—Lemon Clove Pte. Ltd. and Autumn Breeze Pte. Ltd.—for $69.4 million and an intangible asset. That disclosure established Qihoo 360’s ownership of the developer behind Turbo VPN prior to U.S. sanctions imposed in June 2020 over concerns the company posed a “significant risk” of supplying technology to China’s military. Qihoo 360’s clients at the time reportedly included the People’s Liberation Army and several Chinese government ministries.
TTP found that Innovative Connecting is linked to other top VPNs, including VPN Proxy Master and Thunder VPN. Although Qihoo 360 reported selling the app-related companies—referred to internally as “Project L”—to unnamed external buyers in September 2020, TTP identified filings and records suggesting continued ties.
Corporate records from March 2025 for Lemon Seed, Lemon Clove, Autumn Breeze, and Innovative Connecting list Chen Ningyi as a director. A 2017 Qihoo patent includes the same name, and China’s state media previously identified Chen as a general manager at Qihoo 360. That same person was appointed to the board of a Qihoo subsidiary sold in March 2023, raising questions about whether Qihoo retains influence over those app-related businesses.
Chinese VPNs using shell companies
TTP’s investigation also identified popular VPNs tied to entities registered in Hong Kong that are ultimately controlled by mainland Chinese firms or individuals. Apps such as X-VPN, VPNIFY, and the now-removed VPN Bucks listed developers based in Hong Kong, but corporate filings showed ownership links to mainland China not visible in App Store listings. U.S. authorities have previously advised caution regarding data security risks related to Hong Kong entities as Beijing’s national security laws evolve.
Other apps used alternative obfuscation tactics. WireVPN listed a UK-based developer, WEILAI NETWORK TECHNOLOGY CO., LIMITED, but U.K. records show the sole director is a Chinese national living in China who owns more than 75% of the shares. The company reported minimal assets and filed dormant, suggesting a shell structure. Its privacy policy included language that echoed Chinese regulations on “harmful information.”
Overall, TTP’s work paints a concerning picture: a sizeable share of popular free mobile VPNs have undisclosed ties to China, potentially exposing U.S. users’ internet traffic to Chinese government access under local laws.
See also: Alex Leadbeater, GSMA: Security collaboration vital as attack surface grows
Interested in learning more about cybersecurity and cloud technology from industry leaders? Consider the Cyber Security & Cloud Expo series, which hosts events in Amsterdam, California, and London alongside related conferences on digital transformation, IoT, blockchain, and AI & Big Data.
Explore other upcoming enterprise technology events and webinars powered by TechForge.