A view from Intercity's Vulnerability Analyst
There is a lot of noise right now about VPNs and young people. The UK Government has launched a three month consultation looking at child online safety, which includes examining how VPNs are used to bypass protections. The House of Lords has also voted in favour of banning VPNs for under eighteen year olds while the debate continues in the Commons. None of this is final, but the discussion is active and evolving. [techradar.com], [tomsguide.com]
This article is not about the politics or whether any proposed restriction is right or wrong. I am here to talk about the technical reality behind what happens when legitimate privacy tools become harder to access and why we see immediate spikes in risky behaviour when legislation changes.
When the Online Safety Act came into force in July 2025, we saw VPN use in the UK skyrocket almost overnight. Some providers reported an eighteenfold increase in daily sign ups as people attempted to route around new age verification blocks. VPN apps dominated the top of the UK App Store. [telegraph.co.uk]
That behaviour matters because when people grab whatever VPN appears first, especially a free one, they often end up funnelling their entire internet connection through infrastructure controlled by an attacker.
Before you react to the headlines, understand the mechanics.
A VPN is often described as a secure tunnel. What most people miss is this part. Whoever operates the VPN endpoint controls the exit of that tunnel. Every request your device makes enters the tunnel, exits through the VPN server and then travels across the internet.
That means the VPN operator can see:
A reputable, audited provider earns trust by not abusing that visibility.
A malicious or unsanctioned provider sees it as an opportunity.
In our penetration testing and threat modelling work, we regularly recreate the techniques used by malicious VPN operators. The attack surface is simple but powerful.
The TechRadar coverage highlights a key government concern. VPNs are being used to get around important protections.
It is exactly that behaviour that exposes younger users to malicious services. [techradar.com]
Patterns we see repeatedly:
Once connected, the compromise is instant. The VPN does not need to trick the user. The user gives it everything by using it.
The exploitation chain typically looks like this:
To the victim, nothing appears wrong. The VPN works. Their IP changes. The website loads. The attacker gets the rest.
Pressure on VPNs is increasing. The Lords vote, the broader consultation and the government’s intention to examine circumvention all build on the reality that the Online Safety Act has already driven significant VPN adoption.[techradar.com], [tomsguide.com], [telegraph.co.uk]
When people feel restricted, they look for workarounds. Workarounds often mean free tools. Free tools often mean malicious operators.
That pattern is predictable and attackers rely on it.
If someone genuinely needs a VPN, the safest option is to use a provider that:
A free VPN still needs to make money. If you are not paying, the revenue is usually coming from your data.
This is not a debate about legislation. It is a reminder that when legitimate tools become harder to access, people take risks. The surge in VPN use after the Online Safety Act shows exactly how fast those risks escalate. [telegraph.co.uk]
If the government tightens its approach again, adoption of unsanctioned VPNs will likely spike once more. Before anyone jumps to install the first option they see, they need to understand the technical reality.
A malicious VPN is not just a privacy tool that is ineffective. It is a full visibility tap into everything you do online.
If in doubt, treat the VPN as hostile until proven otherwise.