Chinese-Controlled VPNs: The Trojan Horse in Your Pocket
A fifth of the most popular iOS VPN apps are quietly controlled by Chinese companies, including one blacklisted by the U.S. military. The deception runs deep, routed through shell firms and foreign registrations to obscure links to Beijing.
If you're using a mobile VPN from the App Store, there’s a significant chance you're routing all your internet traffic through a Chinese-controlled network—and you’d never know it. According to a report from the Tech Transparency Project (TTP), up to 20% of the top 100 iOS VPNs in 2024 are controlled by Chinese firms, some with ties to the People's Liberation Army. One of them, Qihoo 360, is not only classified as a military-linked entity by the U.S. Department of Defense but is also listed on the U.S. Commerce Department's Entity List for national security threats.
Qihoo 360 acquired Lemon Seed, a shell company used to control multiple VPN brands like Turbo VPN, VPN Proxy Master, and Thunder VPN—all marketed deceptively, including to Spanish-speaking U.S. users trying to bypass restrictions on TikTok, another Chinese-owned data siphon. Lemon Seed itself is registered in the Cayman Islands, masking its origin and operations. TTP’s findings suggest the relationship between Qihoo and these VPNs continues covertly, evidenced by executive overlap and patent filings tying current VPN leadership back to Qihoo.
➪ This isn't a data privacy risk. It's data exfiltration by design.
The structure is textbook obfuscation: shell companies in Singapore, Hong Kong, Belize, and even the UK act as legal proxies, but the code and policy templates trace back to China. One VPN, WireVPN, is registered in the UK but uses privacy policy text copied from Chinese law, and another product under the same brand is linked to a shell in Belize—yet both funnel user data through a network controlled by a single Chinese national.
To make it worse, these apps are Apple App Store approved. That seal of approval means nothing. Apple doesn’t vet the true ownership of app developers, nor does it care if your traffic is being harvested by foreign military-connected entities. This isn’t negligence. It’s regulatory theater.
Why this matters
A VPN isn’t just a privacy tool—it’s a complete tunnel for your data. Whoever owns the VPN owns your traffic. That includes:
- Sites you visit
- IP addresses and locations
- Login credentials and DNS requests
- Metadata on usage patterns
If your VPN provider is secretly a Chinese military-adjacent entity, you are handing over surveillance-grade intelligence every time you connect.
Theoretical Perspective
The notion that placing a company on a blacklist (e.g., the Entity List) effectively neutralizes its reach is a farce. Qihoo 360's post-blacklist asset sale in 2025, dubbed “Project L,” appears designed to preserve operational control while scrubbing public affiliations. The TTP discovered the new director of one of the post-sale VPN firms is a former Qihoo general manager. It's a shell game, and regulators either can’t follow—or don’t want to.
Final Word
The U.S. government warns about TikTok while allowing App Store VPNs owned by the same national security threats to dominate the market. This isn't inconsistent policy. It’s controlled opposition. Users who want actual privacy need to look outside of mass-market platforms and vet services based on jurisdiction, ownership transparency, and open-source verification.
Want real privacy? Start by assuming any app in Apple’s App Store is compromised unless proven otherwise.
