Main points
- 16 of the 87 most popular free VPNs in Russia have been found to be using the Yandex.Metrica analytics tool, raising concerns about potential privacy risks.
- The apps establish connections to Russian servers and users cannot turn this off, creating a constant data channel to a jurisdiction with pressure on digital rights.
Research: 16 VPNs in Russia connect to Yandex servers / Collage 24 Channel
Researchers found the Yandex.Metrica analytics tool in 16 of the 87 most popular free VPNs in Russia. The apps connect to Russian infrastructure immediately upon launch, and users cannot disable this in the settings.
Analysts from the digital freedom group RKS Global tested 87 of the most downloaded free VPN services in Russia – 69 on Android and 18 on iOS. In 16 of them, they found traces of Yandex.Metrica , an analytics service owned by Russian tech giant Yandex. This is reported by Techradar .
Why is the presence of Yandex.Metrica in VPNs a concern?
Network traffic monitoring showed that these applications were actively making requests to Russian servers regardless of which VPN server the user chose . Although the traffic was encrypted and the researchers were unable to determine what data was being transmitted, the very fact of the connection creates a structural risk.
The report notes that there is currently no evidence of information being transferred that would be sufficient to directly prosecute users. At the same time, Russian company Yandex is required to retain metadata for up to three years and provide it to government agencies upon request. This means that even without the intent to spy, a continuous data transfer channel is being formed to a jurisdiction where digital rights are under significant pressure.
Since the tool is integrated into the application's base code, the connection to the servers occurs immediately after the VPN is launched. This cannot be disabled through the client's settings.
iOS apps with detected connections include VPN-VPN Secure, VPN Fast VPN 360 unlimited, VPN – Buck Super, and Super Fly VPN 2026. On Android, the list includes Pulya VPN, Planet VPN, JumpJumpVPN, and Turbo VPN . The latter was already mentioned in the context of SDK connections to Russia and China back in August 2025.
The researchers highlighted the technical limitations of the work: the analysis only covered applications on users' devices and did not take into account the possible transfer of data directly from VPN servers to third parties.
As Techxplore writes, the report pays special attention to previous incidents. In 2021, the ” Smart Voting ” website, created by opposition forces to coordinate tactical voting, used Yandex.Metrica with the Webvisor function. The tool recorded user sessions and could potentially capture data entered. After that, RKS Global said that Yandex.Metrica is not a safe choice for those seeking protection from the Russian state.
In 2022, a Financial Times investigation revealed that Yandex was embedding data-collection code into SDKs used by thousands of developers around the world, raising concerns that even metadata could help track user behavior.
Oleksiy Kozlyuk, head of the industry association VPN Guild, explained that even a secure VPN tunnel does not guarantee complete protection if the application itself transmits data from the inside. According to him, the AppMetrica documentation provides for the collection of telemetry, which can include unique device identifiers, the IP address at the time of the event and other network characteristics. Such a digital fingerprint allows you to link activity to a specific device over time.
While these VPNs are aimed at a global audience, the risks are particularly high for users in Russia due to the active blocking and control of VPN services by the authorities .
Experts advise avoiding free “unlimited” VPNs that rely on aggressive analytics for monetization. Free alternatives with better transparency include PrivadoVPN Free and Proton VPN Free .
The presence of Yandex.Metrica in a VPN does not mean automatic tracking, but creates a permanent vulnerability that users cannot control.