Tuxler: 200,000 Chrome Users Are Running an Open Residential Proxyware

Residential VPN | Tuxler (scorecard, marketplace id jpgljfpmoofbmlieejglhonfofmahini) has 200,000 active Chrome installs. It's marketed as a free VPN. The way it's "free" is the part nobody installing it seems to understand: every free-tier user becomes a residential proxy exit node for someone else's traffic. Tuxler then sells access to that pool of residential IPs to paying B2B customers. The free user gets a VPN. The paying customer gets your home IP address to route traffic through.

This is the residential-proxy model. It's the same model behind Honeygain, IPRoyal Pawns, EarnApp, Bright Data's mobile SDK, and a dozen others. Tuxler is the unusually honest version, where they don't bother pretending to pay you for your bandwidth. They just give you free VPN access and quietly enroll your IP in the network.

This post is about why that's bad for the user, what the analyzer found inside the bundle, and what to do about it.

How the residential-proxy trade actually works

A residential proxy is what data buyers call any internet endpoint that looks, from the outside, like a normal home internet connection. Residential IPs are valuable because most anti-bot, anti-fraud, and access-control systems on the internet trust them more than they trust datacenter IPs. You can rent residential IPs from companies that maintain pools of them; the going rate is a few dollars per gigabyte of traffic. That market exists because the use cases are wide and not all of them are nice.

The boring half of the market: web scraping, ad verification, brand monitoring, sneaker reseller bots, market intelligence. Sketchy but mostly legal.

The other half: credential stuffing, automated account creation, scraping content people don't want scraped, ban evasion, click fraud, sock-puppet networks, in the long tail anything that benefits from making one machine look like ten thousand different homes. Often outright illegal.

The pool of residential IPs comes from somewhere. In Tuxler's case, it comes from the 200,000 Chrome users who installed a free VPN. Their home IPs are now forwarding endpoints in a commercial proxy network. When a Tuxler B2B customer sends traffic through the network, the traffic exits the internet from a free user's home address. The traffic content, destination, and legality are entirely at the discretion of whoever is paying Tuxler, and the free user has no visibility into any of it.

If that traffic is illegal in the user's jurisdiction, the trace from law enforcement, the abuse complaint from the targeted site, the ban from a service the user actually uses — all of that lands at the free user's address.

What we found in the bundle

The Risky Plugins analyzer pulled 65 distinct findings from Tuxler 3.1.26. They cluster in one YARA family: postinstall_*. The rules in that family fingerprint the bytecode shape of postinstall-script malware and proxyware recruitment payloads. The family includes postinstall_network_communication, postinstall_file_download, postinstall_persistence_mechanism, postinstall_obfuscation, and several siblings.

A clean extension does not trip the postinstall_* family. A residential-proxy SDK trips multiple rules in it. Tuxler trips 65 of them across the bundle. That's because the code is doing exactly what the rules are looking for: opening persistent connections, registering background work that survives browser restart, downloading and executing configuration from a remote server, obfuscating the proxy traffic to evade naive network monitoring.

You can read this as either a code-level confirmation that the marketing is honest about the product (it really is proxyware), or as evidence that the implementation is technically indistinguishable from the proxyware-as-malware bundles we see deliberately hidden inside other extensions. Both readings are true. Both are concerning.

The disclosure gap

Tuxler discloses participation in their Terms of Service. The disclosure is in writing. Legally that means consent was obtained. Practically, it means almost none of the 200,000 users understood what they were consenting to.

The Chrome Web Store listing positions Tuxler as a privacy product. The product description says it's a VPN. The word "VPN" implies the model where you encrypt your traffic and exit through someone else's IP. It does not imply the model where someone else encrypts their traffic and exits through your IP. Those are different products. They have the same name on Tuxler's listing.

The 30-second decision to install a browser extension does not typically include a careful reading of a residential-proxy disclosure buried in legalese. We know this. The proxy industry knows this. The disclosure exists because it's a legal shield, not because anyone expects users to act on it.

Risk for the user

Concrete, not theoretical:

1. Bandwidth is consumed continuously, not only when actively using the VPN. The extension runs background workers that keep the proxy endpoint reachable. On metered or capped connections, this matters.

2. Traffic from your IP is not auditable. You cannot see what's exiting. You cannot block specific destinations. You cannot rate-limit by category. The proxy operator decides what flows.

3. You inherit the legal exposure of whatever uses your endpoint. If a B2B customer uses the network for credential stuffing against a bank, scraping a site that vigorously prosecutes scrapers, or anything law enforcement traces back, the IP they trace to is yours. "I had a VPN extension installed" is not a defense most courts will respect at the speed of a knock at the door.

4. You inherit IP-based reputation damage. Once your home IP has been used heavily by a proxy network, it gets blocked by reputation systems. Your normal browsing on legitimate sites gets harder. CAPTCHAs everywhere. Banks flagging your sign-ins. Streaming services blocking you. This is the most common quiet harm from running residential proxyware: your IP becomes "dirty" without you knowing why.

5. Account bans cascade. If a B2B customer creates fake accounts on a service from your IP and that service bans the IP, your real account on the same service may be banned alongside.

What to do if you have Tuxler installed

Open chrome://extensions and remove it. The marketplace listing is at chrome.google.com/webstore/detail/jpgljfpmoofbmlieejglhonfofmahini if you want to leave a review explaining the residential-proxy model to the next person reading the listing. Our full scorecard for Tuxler shows the per-finding breakdown and the AI review history.

If you specifically wanted a VPN browser extension, the well-known commercial VPNs (Proton VPN, Mullvad, NordVPN, ExpressVPN) operate as exit-only providers. Your IP doesn't enter their pool. You pay them in money, not in your home address.

If you actively wanted to participate in a residential-proxy network because someone is paying you for the bandwidth, products like Honeygain and IPRoyal Pawns at least pay you for what Tuxler takes for free.

What to do if you're a security or IT person

If you administer a network and you see traffic from a residential IP under your management hitting Tuxler endpoints, that machine is enrolled. The Tuxler client phones home regularly to fetch routing instructions and keep the proxy reachable. The fingerprint of that traffic is consistent enough to alert on.

If you're a host, hosting provider, or fraud team trying to detect residential-proxy traffic in your own service, IPs running Tuxler will show patterns inconsistent with normal residential use: traffic to your service from a residential IP that simultaneously shows long-lived TLS connections to Tuxler's control infrastructure, traffic timing that doesn't match human behavior, sometimes user agents that don't match the residential network's typical fingerprint.

Closing

There is a version of "free VPN" that's a real product, paid for by ads or a freemium tier. Tuxler is not that. Tuxler is a residential-proxy network where the product being sold is the user's IP address, and the user is given a VPN client as the price for that sale. The 200,000 Chrome users currently running it are, in aggregate, a 200,000-node commercial proxy pool whose operators picked the cheapest possible way to acquire residential endpoints.

The Chrome Web Store should not be hosting this. Until that's enforced, removing it from your own browser is the only action that changes your exposure.