Hola, one of the most popular online services for viewing blocked videos and TV shows from other countries, has turned its users into a botnet without their knowledge. The software, which is available as plugin for the Chrome browser on desktop and mobile devices, had previously been praised for offering an easy-to-use and free service. However, it seems the company has been discreetly selling users’ “idle resources” (i.e. their bandwidth) via a separate Luminati brand, allowing anyone to buy traffic in bulk and redirect it to a target site as a denial-of-service attack. Essentially, Hola’s users have been unwitting mercenaries in a botnet-for-hire.
“Hola realized they basically have a 9 million strong botnet.”
The issue came to light after the moderator of the controversial 8chan forum — an off-shoot of 4chan that has been criticized for acting as an “active pedophile network” — reported that the site had been the target of multiple DoS attacks from Hola’s network. “[Hola] recently … realized that they basically have a 9 million IP strong botnet on their hands, and they began selling access to this botnet,” says a note on the site. “An attacker used the Luminati network to send thousands of legitimate-looking [requests to 8chan] in 30 seconds, representing a 100x spike over peak traffic.”
Hola is able to act as a botnet for the same reason that its service is free: it doesn’t provide its own bandwidth or servers, but simply redirects that of its users’. Most virtual private networks (VPNs) have their own servers spread around the world, channeling a users’ internet connection through these so that it appears to be coming from a different country. This allows a user in France, for example, to watch geoblocked TV shows from the US. Hola, however, operates as a peer-to-peer VPN, routing users’ connections through each other’s devices like a giant telephone exchange. Hola makes money by selling idle bandwidth from its free users under the Luminati brand. Users who don’t want to contribute their bandwidth have to pay $5 a month explains the site’s FAQ.
Hola’s founder Ofer Vilenski has said that the site has “always made it clear” how this business model works, but Hola’s users seem to have been almost universally unaware that their bandwidth was being sold off. A thread on Reddit discussing the news is full of commenters expressing their outrage and surprise. “I’ve had it for years,” writes one commenter, “fuck knows who has been using my internet connection!! And for what?!” Even users who might have taken the time to read Hola’s FAQ could have been misled — TorrentFreak alleges that the site “only recently” added details explaining the role of the Luminati service to its site.
The worry for some users is not only that Hola has been leeching their bandwidth, but that their connection might have been used for illegal purposes — accessing anything from copyrighted content to images of child abuse. In the case of the DoS against 8chan, Hola’s Vilenski has said that the attacker “could have used any commercial VPN network, but chose to do so with ours” and has now had their account “terminated.” Hola’s millions of users, though, might not be comforted by this news. At the time of writing, the company has not responded to The Verge‘s request for comment.