Hola, the Popular Chrome Extension, Sold Users’ Bandwidth for DDoS Attacks

May 29, 2015 Updated: August 16, 2017

If you don’t pay for the product, the old adage goes, you are the product. 

Numerous users of Hola, the popular Chrome extension that allows you to watch blocked videos from other countries, were in for that rude awakening this week: the company had been discreetly selling their user’s bandwidth as a botnet service without their knowledge under a separate Luminati website. 

Luminati operated as a premium virtual private network (VPN), but unlike traditional services, it uses the networks harvested from Hola users instead of private servers. The operation attracted attention after someone had purchased large amounts of traffic on Luminati to launch a distributed denial-of-service (DDoS) against 8chan, a splinter group from the more popular 4chan image-board. 

“In the past week … 8chan was hit by multiple denial-of-service attacks from [the Hola] network,” reads a note on the site. “Hola was created by the Israeli corporation Hola Networks Limited at the end of 2012, and at first was just the VPN service. However, Hola has gotten greedy. They recently (late 2014) realized that they basically have a 9 million IP strong botnet on their hands, and they began selling access to this botnet.”

Hola boasts 46 million users worldwide. 

Hola users vented their outrage on Reddit—not about the attack on 8chan, but the surreptitious deployment of user bandwidth. Hola made its users serve as exit-nodes in the Luminati VPN network, which meant that if a Luminati customer viewed or shared illegal content—be it copyright infringement, videos of child abuse and pornography, or instigations of terrorism—the IP could be traced back to an Hola user, who might be subject to a police raid. 

“To be an exit node on TOR, you have to willingly volunteer, so you would take the necessary precautions, but here, Hola forces you to be an exit node,” one user wrote. “Long story short, bad things could potentially happen. Also, they’re selling your network for this purpose without your permission.”

“That’s just evil,” another Redditer posted. 

It appears that a majority of Hola’s users were unaware that their bandwidths were harvested for the Luminati VPN, but Hola’s founder maintains that the company has been transparent about its methods. 

“We have always made it clear that Hola is built for the user and with the user in mind. We’ve explained the technical aspects of it in our FAQ and have always advertised in our FAQ the ability to pay for noncommercial use,” Ofer Vilenski, the founder of Hola, told Torrent Freak.

However, a history of Hola’s FAQ page showed that a lengthy explanation of the peer-to-peer nature of its service appeared first on May 27, after the note describing its practices were posted on 8chan. Previous versions of the FAQ as recent as March only makes brief illusions to “peer to peer technology” and “sharing the idle resources,” omitting any explanations about the risks of volunteering your IP as an exit node in a VPN. 

The DDoS attacks on 8chan have stopped, but the website’s founder Fredrick Brennan has criticized Hola for trying to cover its tracks by changing the FAQ pages hours after Brennan posted the note on Twitter.

Hola is not the first instance of the mass deployment of users’ bandwidths in DDoS attacks without their consent. Online hackers routinely hijack computers injected with malware for that purpose. For example, the Chinese Communist Party has used the Great Firewall, which can redirect the traffic of Chinese Web users, to attack pages on GitHub that had hosted content criticizing the regime’s censorship practices. 

Hola has been contacted to explain how it informs its users about their participation in a commercial VPN network, and any response will be posted in an update in this story.