Morning Overview

Free VPN apps may quietly turn your home internet into a tool for criminals, the FBI warns.

The FBI issued a public alert warning that free VPN applications can secretly enroll household internet connections into residential proxy networks, allowing criminals to route illicit traffic through ordinary home and small-business devices. The warning arrives years after the 911 S5 botnet compromised more than 19 million unique IP addresses worldwide, including 613,841 in the United States, and facilitated billions of dollars in fraud. For the tens of thousands of Americans whose connections were hijacked between 2014 and 2022, the consequences may still be unfolding.

How free VPN apps turn home connections into criminal infrastructure

The core mechanism is deceptively simple. A user downloads a free VPN app, often attracted by the promise of no-cost privacy protection. Buried in the terms of service, or sometimes not disclosed at all, is a clause granting the app permission to use the device as a relay node. Once enrolled, the household’s IP address becomes part of a residential proxy network. Criminals pay to route their traffic through that address, making their activity appear to originate from a legitimate home rather than from a known malicious server.

The FBI’s recent advisory spells out the risk: residential proxy networks can route illicit traffic through home and small-business internet connections, and free VPN services with hidden or obscure terms of service are a primary enrollment vector. The alert does not name specific apps still active today, but it traces the threat model directly to the 911 S5 operation, the largest known case of this kind.

The practical result for affected households is severe. When a criminal uses a stolen identity to file a fraudulent unemployment claim, and the application originates from a family’s home IP address, that family’s connection becomes linked to the fraud. Internet service providers, banks, and government agencies all log IP addresses. A household that never engaged in criminal activity can find its IP flagged, its accounts frozen, or its members questioned by investigators who traced illegal transactions back to that address.

Because IP addresses are reused and reassigned, the confusion can persist even after a victim cleans their devices. Historical logs may still show that address as the origin point for prior fraud, and automated risk-scoring tools can treat that history as a red flag. In some cases, families may not even know their connection was misused until they encounter unexplained account closures, repeated identity checks, or delays in processing legitimate applications.

The 911 S5 botnet and billions in documented losses

The scale of the 911 S5 operation illustrates why the FBI’s warning carries weight beyond a routine advisory. According to the Justice Department, the botnet compromised more than 19 million unique IP addresses across roughly 200 countries, with 613,841 of those addresses located in the United States. The malware spread through VPN programs and pirated or bundled software beginning in May 2014, according to FBI guidance on the operation.

The financial damage was not abstract. The U.S. Treasury’s Office of Foreign Assets Control reported that the botnet facilitated tens of thousands of fraudulent applications tied to CARES Act pandemic relief programs, contributing to losses measured in billions of dollars. Treasury sanctioned the cybercrime network associated with the botnet, and the administrator was arrested in a coordinated international law enforcement operation.

The 911 S5 service was taken offline in July 2022, but the disruption was temporary. By October 2022, the operation had been reconstituted under the name Cloudrouter, according to FBI removal guidance on VPN apps containing 911 S5 backdoors. That rapid reappearance signals that dismantling one network does not eliminate the underlying business model. As long as free VPN apps can quietly monetize user bandwidth, the supply of residential proxies will regenerate.

The hypothesis that households appearing in the 911 S5 dataset face higher rates of law enforcement contact or account flags is difficult to test with public data. Federal agencies have released aggregate loss figures and IP counts but no per-victim or per-IP attribution data. Court filings describe the creation and operation of an illicit residential proxy service in broad terms. What is clear from the record is that hundreds of thousands of U.S. IP addresses were associated with criminal activity their owners never authorized, and that association leaves a digital trail that financial institutions and government systems can flag for years.

Gaps in the public record and what users should do now

Several questions remain unanswered in the available federal documents. No primary FBI or DOJ source lists specific free VPN app names or bundle distributors still active after the 2022 takedown and Cloudrouter rebranding. No public data quantifies how many U.S. households remain infected or have been re-enrolled through successor services. The infection vectors described in court filings and FBI alerts refer broadly to “VPN programs” and “pirated software” without granular breakdowns that would help users identify which downloads carry the highest risk.

The absence of per-victim data also means that individual households have limited tools to determine whether their IP addresses were ever part of the 911 S5 network. The FBI has published guidance on identifying and removing VPN applications that contain 911 S5 backdoors, but that guidance addresses known legacy software rather than new variants that may have emerged since 2022.

For anyone currently using a free VPN, the safest assumption is that the service could be monetizing connections in ways that are not obvious from marketing materials. Users should review app permissions, uninstall VPNs they do not recognize, and avoid software obtained from piracy sites or unofficial app stores. Where possible, people should favor reputable paid VPN providers that clearly state they do not sell access to customer IP addresses or participate in residential proxy schemes.

Basic network hygiene can also reduce exposure. Keeping operating systems and routers updated, using security software from trusted vendors, and periodically reviewing installed applications on phones, tablets, and PCs can all help identify unwanted VPN clients. Small businesses, which often rely on consumer-grade routers and lack dedicated IT staff, may be especially vulnerable to quietly installed proxy software on shared workstations.

Consumers who suspect their connection has been abused have limited direct recourse but can document and report anomalies. Unexplained spikes in bandwidth usage, login alerts from unfamiliar services, or notices about accounts the household never opened may justify contacting an internet service provider or filing a report with local law enforcement, which can coordinate with federal agencies when appropriate.

Staying informed as threats evolve

The 911 S5 case shows how quickly criminal infrastructure can adapt when there is steady demand from fraudsters and other bad actors. Even after a major takedown, the same techniques can reappear under new branding, fueled by users who install free tools without realizing they are effectively renting out their home connections. Because public technical details lag behind the latest variants, staying informed about new FBI guidance is as important as cleaning up legacy infections.

Individuals and organizations can sign up for email updates from the FBI to receive future cyber alerts and removal instructions. Monitoring these communications can help users quickly identify newly flagged VPN apps, understand emerging proxy schemes, and adjust their security practices before becoming part of another global botnet.

For now, the message from federal authorities is straightforward: if a VPN or privacy app is free, the business model is likely built around selling something else. In the case of 911 S5 and similar residential proxy networks, that “something” was the bandwidth and reputational risk of millions of unsuspecting households. Until transparency and enforcement catch up with that model, cautious downloading and regular device audits remain the best defense against having a home internet connection turned into criminal infrastructure.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.