Free VPNs aren't free. Someone pays for every server, every IP address, every gigabyte of traffic. When you don't pay with money, you pay with your data, your bandwidth, or sometimes your identity. To make you understand this better, I’ll break down the actual infrastructure economics with real numbers and documented cases in this article.
The Real Cost of Running a VPN (It's More Than You Think)
Most people think of a VPN as an app. It's not. It's an infrastructure operation.
Every byte of your internet traffic, be it your Netflix stream, your WhatsApp messages, or your late-night Google searches, gets tunnelled through the VPN provider's servers. They pay for every single gigabyte that passes through.
AWS (Amazon Web Services), one of the most widely used cloud infrastructure providers, outbound data transfer costs $0.09 per gigabyte for the first 10TB per month. A single server pushing 5TB of data a month generates a bandwidth bill of around $382. Mind you, this amount is just for that one server!
In fact, Hetzner, one of the cheapest serious options, charges around $43 to $50 per month for a basic dedicated server. That's the floor cost before a single user connects.
Now multiply that across hundreds of servers, dozens of countries, and millions of users.
And that's before you add staff cost, app development, DDoS protection, customer support, and security audits.
The IPv4 Problem That Nobody Writes About
IP addresses are not cheap. When you connect to a VPN, your traffic appears to come from one of the provider's IPs and not yours. To serve thousands of simultaneous users, avoid blacklists, and keep streaming platforms accessible, providers need enormous pools of IP addresses.
Now, IPv4, which is the addressing system most of the internet still runs on, ran out of new allocations years ago. So every available address now trades on a secondary market, which comes for around $34 to $45 per address to buy outright. And if you wish to lease it, you’d pay somewhere between $0.40 and $0.50 per address, per month.
So, if you calculate, a pool of just 10,000 IP addresses costs roughly $4,000 to $5,000 every single month just in lease fees. That's before the servers are even switched on.
So, a free VPN has two choices here. Run a tiny, overcrowded IP pool and deliver a terrible experience. Or find a way to fund a proper one because there is no THIRD option.
This is where a VPN brand like IPVanish, funds a large, clean IP pool entirely through subscriptions. Right now, they're even offering an exclusive discount on their plans.
The Maths That Free VPNs Don't Want You to Do
Let me put all of this together in one place.
The average smartphone user consumes around 20GB of data per month. A VPN adds 5 to 15 percent overhead on top of that, which is the cost of encryption and tunnelling.
Let’s take a conservative figure. Say a free VPN user tunnels 10GB of traffic per month. At $0.09 per GB, that user costs the provider $0.90 per month in bandwidth alone.
Scale that to 10 million users (a modest number for a popular free VPN) and the monthly bandwidth bill is a whopping $9 million.
And that’s why a free VPN with millions of users is not a charity. It is a business with costs that it has to recover from somewhere.
So how does it recover them?
Free vs Paid: What You're Actually Comparing
Before I show you the documented cases, here's the cost model.
This is not a feature checklist. It is an economic reality check.
Every VPN has a cost model. The only question is whether you can see it.
How Free VPNs Actually Pay the Bills (3 Documented Cases)
These are not hypothetical risks. They are real companies, with real facts, reported by real journalists.
Case #1: How Hola Turned Its Users Into a Botnet Without Telling Them
Hola offered a free peer-to-peer VPN. It was a popular, widely recommended VPN on Reddit, with millions of downloads.
Here is what it actually was.
Instead of routing your traffic through dedicated servers, Hola routed it through other users' connections. And while that was happening, it was running a commercial business on the side called Luminati — selling access to this network of unwitting users at $1.45 to $20 per GB.
Security researchers discovered in 2015 that the Luminati network had been used to launch a DDoS attack against the 8chan message board. The attack originated from Hola users' IP addresses. Users who had no idea any of this was happening.
When researchers asked Luminati's sales team what restrictions existed on how the network could be used, the answer was that the company had no idea what buyers were doing on the platform.
Hola never paid for infrastructure. Its users were the infrastructure.
The "free" VPN was free because the users were the product — their bandwidth and IP addresses, packaged and sold to whoever was willing to pay.
Case #2: How Facebook Used a VPN to Spy on Competitors and Win a $19 Billion Deal
In 2013, Facebook acquired a VPN called Onavo for a reported $200 million.
The app told users it would protect their privacy and save their data. What it actually did: it collected which apps users spent time in, how much data each app used, and which websites they visited.
That intelligence turned out to be extraordinarily valuable.
Onavo data revealed that WhatsApp was sending more than twice as many messages per day as Facebook Messenger. This reportedly convinced Facebook to acquire WhatsApp in 2014 for $19 billion.
The result? The VPN ended up paying roughly 95 times over for itself.
Apple eventually removed Onavo from the App Store over privacy concerns. Facebook later repurposed the same technology for a research programme that paid users aged 13 to 35 up to $20 per month for root-level access to all their mobile data. Eventually, Facebook shut the programme down in 2019 after getting heavy backlash.
In a nutshell, Onavo was never a VPN product. It was a corporate intelligence operation that happened to encrypt your traffic on its way to Facebook's servers.
Case #3: The Study That Looked at 283 Free VPN Apps and Found 84% Were Leaking Your Data
In 2017, researchers from CSIRO, UC Berkeley, and the University of New South Wales analysed 283 Android VPN apps pulled from over 1.4 million apps on the Google Play Store.
Results:
- 84% leaked user traffic.
- 18% used no encryption at all.
Multiple apps were injecting JavaScript into users' sessions for tracking and advertising. Some were intercepting TLS connections — meaning they could read traffic that was supposed to be secure.
The lead researcher said the shocking finding wasn't the numbers. It was because people trusted these apps.
These weren't obvious scams. Rated applications in the official store, downloaded by real users who thought they were protecting their privacy.
Three cases. Three different monetisation models.
Bandwidth sold to strangers. Intelligence sold to advertisers. Data harvested quietly in the background.
Same logic every time: the VPN gets you to install the app and route your traffic through it. What happens after that depends entirely on who built it and why.
Why "Unlimited Devices" Doesn't Mean the Same Thing Everywhere
Both free and paid VPNs advertise unlimited simultaneous connections. This does not mean the same thing in both cases.
Every VPN server has a finite capacity. Each active connection consumes CPU cycles, memory, and bandwidth on that server. When a provider offers unlimited connections, they are making a commitment that their infrastructure can handle the load.
That commitment is only as good as the investment behind it.
A subscription-funded provider can size its server estate to its user base because it knows what its revenue is and what capacity that revenue can sustain.
A free provider has no such relationship. The result is either throttling under load, or a thin server estate where "unlimited" is a claim that quietly collapses when enough people connect at the same time.
The difference is not a feature. It is a function of whether the infrastructure budget exists to back the promise.
What A Paid VPN Subscription Actually Buys You
A paid legacy VPN brand like IPVanish is worth examining here.
On the infrastructure side, the subscription funds:
- RAM-only servers: Data is never written to disk, and is wiped on reboot
- Private DNS on every server for leak prevention
- WireGuard as the primary protocol: Most efficient modern option, just 4–6% overhead
- Unlimited simultaneous device connections on all plans
- Plans starting from $2.19/month on a two-year plan
The no-logs policy has been independently audited twice. The most recent, completed February 2025 by Schellman Compliance LLC, involved unrestricted system access, test traffic exercises, and confirmed that real-time abuse data is processed in memory only, meaning no logs are retained.
The Bottom Line
Most people using a free VPN haven't thought through the infrastructure economics. That's fair because it's not obvious until you look at the numbers.
Once you do, the choice gets simple.
Free means someone else is paying. Your job is to figure out who — and what they're getting in return.
Because from everything I've seen, it's usually something you didn't agree to give.