• Cyborg Bytes
  • Posts
  • The VPN Conspiracy: How They Built a Billion-Dollar Lie

The VPN Conspiracy: How They Built a Billion-Dollar Lie

Author

Addie LaMarr
August 08, 2025

Note: The video version shows far more receipts than the newsletter version, so I would recommend that version instead this time 🙂 

What If the Privacy Tool You Trusted Was Designed to Exploit You?

You were told a VPN would keep you safe online.
That it would protect your privacy.
But what if the tool you downloaded for safety... was actually built to watch you?

What if the tool you installed for privacy quietly recorded your behavior — your app usage, your habits, your digital patterns — and sold access to that data?

In this video, you’ll learn:

  • How the most dangerous VPN ever created went undetected for years.

  • How a major tech giant used it to spy on teens and crush competitors.

  • Why today’s “trusted” VPNs are still using the same blueprint.

I’ve spent weeks combing through leaked emails, court documents, and buried privacy policies that were never supposed to be read. What I found wasn’t illegal — but it was disturbing. Because the system was built to allow it.

This story isn’t about a single company.
It’s about how trust gets monetized.
And why the next time someone promises you privacy... you’ll know what to look for.

Why Did Facebook Buy the Most Dangerous VPN Ever Made?

In 2013, Facebook bought a small Israeli app called Onavo, built by cyber-intelligence veterans from Unit 8200. They specialized in traffic interception, behavioral analytics, and deep packet inspection.

On the surface, it was a “data-saving app.” In reality, it became one of the most powerful surveillance tools ever deployed on consumers.

From the moment Onavo was installed on your phone, every packet of data—from every app, every tap, every background process—was routed through Facebook-owned servers.

That meant Facebook could see:

  • What apps you used

  • When, how long, and how often

  • How much data each app consumed

  • What features were keeping you hooked

  • And sometimes, the content itself

It was full-spectrum traffic surveillance.

And Facebook used it to spy on competitors — especially Snapchat.

Why Did Facebook Care So Much About Snapchat?

By 2016, Snapchat had become the go-to app for Gen Z. Teenagers were ditching Facebook and Instagram. And Facebook needed to know how quickly that shift was happening.

But when Snapchat encrypted its traffic, Onavo went blind.

That’s when Zuckerberg sent a clear directive to his team:

“We need reliable analytics about Snapchat… You should figure out how to do this.”

How Project Ghostbusters Crossed the Line

Facebook engineers launched Project Ghostbusters, a plan to bypass HTTPS encryption and restore visibility into Snapchat, YouTube, and Houseparty.

Here’s how it worked:

  • They created a fake root certificate to impersonate apps

  • Installed it via a “VPN profile”

  • Intercepted encrypted traffic

  • Decrypted and logged it

  • Re-encrypted it before passing it on

To the user, everything seemed normal. But Facebook had just executed a man-in-the-middle attack—the same kind of tactic used in spyware and nation-state surveillance.

And the people they recruited?
Teenagers.
Ages 13–17.
Offered $20 in gift cards to give up full root-level access.

Even Facebook’s own security VP warned:

“No security person is ever comfortable with this.”

What Happened After Apple Banned It?

Apple finally banned Onavo in 2018 for violating privacy rules.

So Facebook rebranded it as “Facebook Research,” codenamed Project Atlas—and used Apple’s enterprise system to sneak it onto iPhones, bypassing the App Store entirely.

Their target? Teenagers.

Facebook paid kids aged 13–17 a measly $20/month in gift cards to install the app and hand over root-level access to their phones.

It only ended when TechCrunch exposed it in 2019. Apple responded by revoking Facebook’s enterprise certificates, instantly killing every internal app used by their employees.

But Did They Actually Stop?

No.

They kept it alive on Android.
They kept collecting data.
They kept making billion-dollar decisions based on surveillance.

This wasn’t an accident. It was a multi-year business model, built on deception, technical expertise, and strategic targeting of minors.

So Here’s What Matters Now:

If this is what Facebook did with a VPN...
What are the rest of them doing?

Because some of the biggest names today are using the same infrastructure.
And you wouldn’t know unless you pulled the logs yourself.

So Who Owns the VPN You’re Using, Anyways?

This is where it goes from sketchy to sinister.

Because a huge number of VPN companies aren’t real companies.
They’re shell corporations, adware firms, offshore fronts, and former spyware vendors rebranded as “privacy tools.”

You know those “independent” VPN review sites? The ones that always seem to rank ExpressVPN and CyberGhost in the top 3?

Yeah. Those sites are owned by the same company that owns the VPNs.

And that company’s got one hell of a backstory.

When the Adware Industry Bought Your Privacy

Ever heard of Kape Technologies?
Didn’t think so. That’s intentional.

Kape (formerly Crossrider) used to make browser hijackers and ad injection malware. In 2018, they changed their name—because, you know, malware was a bad look. Then they started quietly buying up the VPN industry.

Here’s what they now own:

  • CyberGhost (2017)

  • ZenMate (2018)

  • Private Internet Access (PIA) (2019)

  • ExpressVPN (2021) — bought for $936 million

Oh, and Kape also owns the “independent” review sites VPNMentor and SafetyDetectives—which consistently rank Kape’s products at the top of every “best VPN” list.

Let that sink in.

The same company that used to inject ads into your browser now controls multiple major VPN brands and the review sites that recommend them. They built an entire surveillance ecosystem, monetized both ends of it, and slapped a “privacy” sticker on the front.

As one industry analysis put it, Kape’s network was “explicitly designed to go after your data and your wallet.”

Still feel safe?

Who’s Actually Running These VPNs?

Kape isn’t the only player. The VPN industry is littered with fake names, offshore shells, and state-level entanglements.

For example:

  • In 2025, investigators discovered that 20+ of the top 100 VPNs on the App Store were quietly owned by Chinese companies.

  • These included Turbo VPN, VPN Proxy Master, and Thunder VPN, tied to a parent firm connected to Qihoo 360—a company blacklisted by the U.S. government for national security risks.

  • Their ownership was masked through Cayman Islands and Singapore-registered shells. But the traffic? Routed through questionable infrastructure.

Users had no idea. These apps had millions of downloads.

Meanwhile, ExpressVPN—yes, the one owned by Kape—employed a former mercenary hacker from the UAE’s Project Raven, a surveillance unit known for using zero-days against journalists and activists. That executive stayed on staff even after the U.S. fined him.

Why “No-Log Policies” Are Basically B.S.

Here’s the dirty secret of VPN marketing:

“No logs” means absolutely nothing without proof.

And most VPNs either:

  1. Don’t get audited

  2. Get fake audits from shady shell companies

  3. Just outright lie

Even when there is an audit, it’s usually:

  • One-time

  • Outdated

  • Only for a single server or limited config

And when logs do exist?
They leak.

In 2020, seven “no-log” VPNs—including UFO VPN and SuperVPN—were caught with 1.2 terabytes of exposed user logs. Names, IPs, session timestamps—wide open. All of them ran on the same white-label infrastructure, used fake company names, and made the same hollow privacy promises.

When Did VPN Ads Turn Into Misinformation Machines?

By the mid-2010s, VPNs had a marketing problem. They weren’t sexy. They weren’t viral.
So the companies behind them turned to the loudest, most trusted voices online: creators.

And those creators cashed in.

YouTubers who couldn’t spell DNS were suddenly shouting, “Get 68% off your privacy!”
Podcasters were peddling “military-grade encryption!” like it was mouthwash.
And audiences ate it up—because repetition breeds trust, and trust sells.

📊 Let’s talk numbers:

  • In a 2023 analysis of 243 VPN ads on YouTube, 80% made false claims—like “100% anonymous,” “protects you from all tracking,” or “keeps hackers out.”

  • A mid-sized creator with 150k views? Pulls in $5,000 per VPN ad slot.

  • Bigger names were clearing $25K per integration, plus lifetime commissions for every signup.

  • That’s 30–50% of every subscription... for years.

Here’s the thing no one talks about: most users trust VPNs because their favorite creators told them to.

You were sold safety, privacy, and peace of mind—by people you trusted.
But behind the scenes, those people were getting paid more to say “secure” than to check if it actually was.

And none of these creators are verifying what’s under the hood. Why would they?
There’s no incentive to tell the truth when the lie pays better.

What If Everything You’ve Been Told About VPNs Was a Lie?

Let’s be clear: a VPN is not a magic cloak.

It’s not making you anonymous. It’s not blocking surveillance. And it’s definitely not protecting you from the companies who make money off tracking you.

A VPN creates an encrypted tunnel between your device and their server. It hides your IP from the websites you visit, and your traffic from your ISP. That’s it.

Everything else—the “military-grade encryption,” the “100% anonymity,” the “complete online safety”—is marketing copy.

And when that tunnel ends at a VPN company you can’t identify, operating out of a shell corporation, logging data it promised not to, quietly feeding it to advertisers? You’ve just traded one surveillance point for another.

If you don’t know who owns your VPN, how they make money, or what their infrastructure looks like—you don’t have privacy. You have vibes.

🚫 When Should You Not Use a VPN?

If your life depends on staying anonymous, a VPN might get you killed.

Here’s what most VPNs still collect:

  • Session timestamps

  • Bandwidth usage

  • IP address (even temporarily)

  • Device identifiers

  • Payment info

Even “no-log” VPNs often retain enough metadata to identify you. And they’ll hand it over if they’re pressured, bought, or raided. Some won’t even wait for the pressure.

If you're a journalist, whistleblower, activist, or dissident under surveillance—do not rely on a VPN. Use Tor. Use compartmentalization. Use burner infrastructure you control.

And if you’re just trying to avoid corporate surveillance? A VPN won’t help. Google, Meta, Amazon, TikTok—they’re not tracking you through your IP. They’re tracking you through your browser, your behavior, your device fingerprint, and the code embedded inside 90% of the apps you use.

VPNs can’t stop that. They’re not designed to.

✅ When Does a VPN Actually Help?

There are good reasons to use a VPN—if you know exactly what it’s doing.

A VPN is useful when:

  • You’re on sketchy public Wi-Fi and want to prevent passive snooping

  • You’re traveling or at work and need to bypass content restrictions or censorship

  • You want to obscure your real IP from a website, app, or service

  • You want to prevent your ISP or network admin from logging your traffic

  • You’re routing your own traffic through infrastructure you control

In those cases, a VPN gives you a tactical advantage. But only if you trust the provider—and know why you’re using it.

What Should You Demand From a VPN Before You Even Consider It?

Here’s the checklist. If they don’t pass every point, walk away.

  1. Full-scope, third-party audit
    Not just “no-logs”—the whole infrastructure. The clients. The servers. The logging. The policies. No audit? No trust.

  2. Transparent ownership
    Can you trace who owns the company? Where it’s based? Who’s on the team? If not—assume they’re hiding something.

  3. Open-source clients
    If you can’t see what the software is doing on your machine, you can’t verify a single claim they’re making.

  4. Anonymous payment options
    If they require a credit card or PayPal, they’re tying your identity to your usage. Cash, Monero, crypto—or nothing.

  5. No connection metadata
    “No logs” means no logs. That includes timestamps, bandwidth, session IDs. If they keep any of it, it’s a red flag.

  6. Privacy-first features

    • Kill switch

    • DNS leak protection

    • WireGuard support

    • Tor bridge or multi-hop routing

    • Custom DNS resolver support

  7. It Must Be Paid. No Exceptions.
    If you’re not paying for the product, you are the product.

If any of that is missing—that’s not a privacy tool. That’s spyware.

Which VPNs Have Actually Earned the Community’s Trust?

These are the few providers that meet the bar. No sponsors. No affiliate links. Just what the security community actually respects.

Mullvad

  • Based in Sweden

  • No email required

  • Accepts cash by mail

  • Fully audited, open-source clients

  • Tor bridge support
    Best for: Privacy-maxed users who don’t want to hand over any identity whatsoever.

IVPN

  • Based in Gibraltar

  • Transparent audits and team disclosures

  • Blocks ads and trackers at the network level

  • Anonymous signup + crypto payments
    Best for: Users who want privacy by default and strong ethics under the hood.

Proton VPN

  • Based in Switzerland

  • Transparent ownership (ProtonMail team)

  • Audited + open-source

  • Generous free tier with no data caps
    Best for: Beginners who want a trustworthy, non-predatory VPN they can grow with.

These are not perfect tools. But they’re trustable in a space where most others are built to extract, mislead, and exploit.

What Should You Use Instead (or Alongside) a VPN?

Real privacy is layered. A VPN is just one piece. You also need:

  • Tor Browser — For anonymity. With caveats. Use it standalone. Don’t stack with a VPN unless you know what you’re doing.

  • Hardened Firefox — Use uBlock Origin, disable WebRTC, enable container tabs, and strip out telemetry.

  • DNS over HTTPS (DoH) — Use NextDNS or a self-hosted resolver to encrypt your DNS queries.

  • Browser isolation — Use different browser profiles or VMs for different threat models (e.g., crypto vs personal vs work).

  • Self-hosted VPN — Spin up a WireGuard server on a VPS you control if you want total endpoint transparency.

If you’re serious about reducing your exposure, these tools matter way more than the VPN.

What If the Real Risk Was Never Just the Tech—But Who You Trust?

Here’s what should really scare you:

Not that VPNs can spy on you.
But that they were designed to.
And you were sold the opposite.

Creators took money to sell you a sense of safety they never verified.
Companies buried their ownership behind a dozen shell entities.
And the word “privacy” lost all meaning on its way to becoming a logo.

You weren’t protected.
You were marketed to.
You weren’t given security.
You were handed a tracking tool and told to feel safe.

And if you didn’t know how to tell the difference? That wasn’t your fault.
That was the business model.

If this made something click—send it to someone who still thinks all VPNs are safe.

Your privacy is your power.
Don’t give it away for a discount code.

Stay Curious,

Addie LaMarr