Anatomy of a fake no-logs VPN

One string

lea rdi, [rip+0x3a91c]   ; "tlm.shadow-metrics.net"

That's it. That's the whole story. A telemetry endpoint baked into the binary, contacted on every DNS resolution, shipping the query name and a stable client UUID.

Why static analysis caught it

The marketing site can say "no logs." The binary cannot lie about what host it connects to. Strings, xrefs, a breakpoint on dns_resolve — twenty minutes of work, one critical finding, peer-reviewed and paid.

The lesson isn't that this one VPN is bad. It's that you couldn't have known without someone reading it.