Honeygain (and the risks)

2021, Sep 01    

One of the more recent advertisements I have seen has been that of the Honeygain service (no doubt similar in name to the Honey service for automated discounts in your browser), whereby you earn money for letting a locally installed agent use your internet connection in the background. While this is simple in principal, is this a good idea? More importantly, is it safe?

The Premise

Honeygain is described as a way to generate income passively, using your internet connection by trusted partners to allow them to bypass any regional restrictions/censorship (so far so good). An example around a business that wants to check the price of a service in different regions to see how they differ is detailed, which again makes sense as its common knowledge that the booking of flights in the USA is cheaper in certain states depending on your origin/destination. While some information and examples are presented, sadly they are limited in detail. A frustrating part from an end-user perspective is not seeing a clear diagram/list of steps for how one of their trusted partners uses the service. Given there is a significant difference between sending a request via a REST API which is then validated to ensure its legitimate and isn't malicious, versus being handed details to a proxy whereby you can do what you want with very little checking, not having this information should raise concern in anyone thinking of using the service.


The Honeygain agent can be installed on a mix of platforms, no doubt trying to ensure a wide user-base. Installing in a container (Docker) is also supported, to which I haven't been able to decide if its to cater for enterprise users or for those running NAS platforms at home (most likely the latter). The installation process is simple (regardless of the method chosen), with very little required from a setup perspective. The CPU/RAM usage also appears quite low, though with their Android app (not in the app store which is somewhat suspect) its not too surprising given the more resources consumed the more likely the agent will be terminated. There is no iOS option available (yet, though there may be one in beta going by Reddit), which begs the question if its due to the way iOS works with background tasks or if its due to problems with the vetting process.


As with anything sharing your internet connection (guest WiFi is no different), the question of accountability is raised. The agent is connecting to external systems using your connection, and while you see 'activity' in the dashboard (if its working), how do you know what the agent is really doing? To trace this within my test environment the firewall logs are captured (as the agent is in its own isolated part) which provides a breakdown of each outbound connection the agent has performed (and some introspection details where applicable). Doing this reveals some interesting results, given the Honeygain dashboard after multiple days still shows as zero bytes used, while connections to over 600 distinct destination IP addresses (all with data) have gone through the firewall. It also reveals that traffic isn't just to websites as connections to multiple mail servers were also detected. Added to this, the public-facing IP address used for testing was subsequently added to the Spamhaus blocklist due to bad mail behaviour (thankfully easily removed), but it does go to show that the level of tracking isn't adequate enough. A support ticket was raised to question why the dashboard still shows zero bytes, however at time of writing no answer has been provided (simply two responses of 'we are investigating this').

Their dashboard states zero bytes, but my own tracking disagrees


Taking a look at Reddit (see here shows some of the technical 'challenges' that users have faced. The issues of those using the Docker image and showing zero bytes is shown (by someone other than me), as are users questioning why when they are near to payout threshold the traffic sent via their connection suddenly drops (delaying them getting paid). The list of complaints goes far back, nestled between an occasional post from a moderator. For an established company with an agent available on multiple platforms these types of issues shouldn't exist, and typically are handled by a support team (rather than users venting their frustrations in a public forum).

Potential Misuse

One topic that I've not seen covered/discussed on either website or within Reddit is how they handle misuse from the user side. Thinking back to the Docker container that is lightweight and can easily be spun up, I'm reminded of how hackers were installing bitcoin mining software on compromised NAS devices across the internet, with a view of while painfully slow you can counteract that by using a larger number of devices. With Honeygain, the potential to install the container on a compromised device and leave it idling in the background generating money for a malicious actor is more feasible, as there is little additional heat/power consumption, only additional internet usage (which depending on the scale might go unnoticed). While there are a few technical challenges at present (most NAS devices run ARM/MIPS CPUs while the Docker binary is for x86 for example) they are something that can be easily overcome by those with enough motivation. There is no discussion as to how this type of misuse is detected/prevented, begging the question of is this something they would be concerned about? From their side, they didn't install the agent and in theory the traffic is non-malicious and should bring no legal issues to the owner of the network connection, so generating money from those who use the services is a somewhat grey area.


While the concept of Honeygain (when used correctly) is nice in principal, bad tracking of data used (seemingly for a while now), their inability to respond to a support ticket questioning the lack of data usage tracking in a timely fashion, and the possibility of it being used for nefarious purposes should be an immediate turn-off for anyone. This technology has the potential to tangle you in legal issues if their service is misused by one of their business users, and for the small amount of financial gain it's a hefty price to pay.

TL;DR: Don't install it and save yourself a potential legal headache

Update (2021-09-02)

The support ticket was finally answered and resolved, with both the usage and balance subsequently showing, however the response of the issue still leaves a lot to be desired (not to mention how the issue still exists given its not the first time its been reported by someone). Despite the usage and balance now showing, I'd still not recommend using the service given the points discussed earlier.