The FBI warning on free online file converters, explained

What the FBI actually said

On March 7, 2025, the FBI Denver field office published an advisory after seeing a rise in a specific scam: criminals stand up free online document and file converter tools, or downloader tools, that really do perform the conversion, while quietly installing malware on the victim's computer. The advisory noted these tools may claim to convert one format to another (a .doc to a .pdf, for example), combine files (several .jpg images into one .pdf), or act as an MP3 or MP4 downloader.

The malware can steal sensitive information: login credentials, financial details, and other personal data, which opens the door to identity theft and financial loss. In some incidents the infection led to ransomware. The advisory was widely corroborated by reputable security press, including BleepingComputer, Help Net Security, Malwarebytes, and Bitdefender. The FBI's recommendation was practical: be cautious with free online converters, keep antivirus updated, and report incidents to the FBI's Internet Crime Complaint Center (IC3).

What it did not say

It is worth separating the advisory from the scarier headlines it produced. The FBI did not ban online file converters, and it did not say that every online converter is malware. The warning is about malicious and fake converter sites set up by criminals, not about the established, reputable services that millions of people use.

The genuinely difficult part is the one the advisory highlights: a malicious converter behaves exactly like a legitimate one. It takes your file, returns a converted file, and looks completely normal, which is precisely why the malware goes unnoticed. That makes a bad site hard to tell apart from a good one by eye, which is the real lesson: you cannot judge safety from how well the tool appears to work.

The deeper issue: upload-and-trust

Underneath the malware story is a structural point. A server-based converter requires you to upload your file to a machine you do not control, and from that moment you are trusting an operator you usually cannot verify, with your file and with whatever metadata rides inside it. Even with a completely legitimate service, that is a trust relationship: their security, their retention policy, their good faith.

The FBI advisory is the sharp end of that trust requirement. When the operator is malicious, the upload is the attack surface. When the operator is honest, the upload is still a copy of your file on someone else's server. For a throwaway file that may be fine; for an ID scan, a contract, or financial paperwork, it is exactly the situation you want to avoid.

How to convert files safely after the warning

A few concrete habits sharply reduce the risk. Prefer reputable, well-known tools over a random site you found thirty seconds ago in a search ad, since malicious converters often spread through lookalike domains and ads. Keep your operating system and antivirus updated so a drive-by install is more likely to be caught. For sensitive files, use software that runs on your own machine, such as your operating system's built-in export (macOS Preview, the Windows Photos app), or established offline tools.

The strongest structural fix is to use a converter that runs entirely in your browser, so your file is never uploaded in the first place. With nothing uploaded, there is no server to deliver malware from your file's round trip and no operator to trust with your data. And you do not have to take the claim on faith: load the page, switch on airplane mode, and convert; if it works offline, nothing was uploaded. Or open your browser's Network tab and confirm no request carries your file. The full method is on the guide to verifying a converter does not upload your file.

hushvert's structural answer (and its honest limits)

hushvert was built around exactly this problem. For the conversions a browser can do (images including HEIC, audio, archives, and PDF page operations), the work runs on your own device in WebAssembly and the file never leaves your browser. That removes the upload, and with it the data-theft vector the FBI advisory describes, for those conversions. The no-upload behavior is verifiable in airplane mode or the Network tab, and a test in our build pipeline fails the release if any file byte leaves the browser during a client-side conversion. The conversion engine is open source under the MIT license, so the behavior is auditable rather than asserted.

The honest limit: a few conversions genuinely cannot run in a browser (office documents to PDF, PDF to Word, large video), and those run on a clearly labeled server lane that does upload over an encrypted connection, with the file deleted shortly after. We label that before you start, so you always know whether a given file will leave your device. The point is not that uploading is evil; it is that no-upload should be the default for the conversions that can do it, and it should be something you can check.

The takeaway

The FBI advisory is real, it is specific, and it is worth taking seriously, but the right response is informed caution rather than alarm. Online converters are not all malware; the risk is that malicious ones are indistinguishable from legitimate ones by appearance, and that any upload is a copy of your file on someone else's server. Use reputable tools, keep your defenses current, and for anything sensitive prefer a converter that runs on your own device and lets you verify that your file never left it.

Keep reading

• How to verify a converter does not upload your file
• Are online file converters safe?
• Which file converters upload your files?
• Private file converter
• File converter FAQ

Common questions

Did the FBI ban online file converters?

No. In March 2025 the FBI Denver field office issued an advisory warning that some free online file-converter and downloader tools deliver malware and steal data, and it recommended caution and reputable tools. It was a warning, not a ban, and it targeted malicious or fake converter sites rather than established services.

Are all online file converters malware?

No. The scam the FBI described involves malicious or fake converter sites set up by criminals. The established, reputable services are real companies. The difficulty the advisory highlights is that a malicious converter usually works exactly like a legitimate one, so you cannot tell them apart by how well they appear to convert your file.

How do I avoid a malicious file converter?

Prefer reputable, well-known tools over a random site from a search ad, keep your operating system and antivirus updated, and for sensitive files use software that runs on your own machine. The strongest structural fix is an in-browser converter that never uploads your file, which you can verify by converting in airplane mode or by watching your browser's Network tab.

What did the FBI actually recommend?

Be cautious with free online converter and downloader tools, keep antivirus software updated so a malicious install is more likely to be caught, and report incidents to the FBI's Internet Crime Complaint Center (IC3). The advisory was corroborated by security outlets including BleepingComputer, Help Net Security, and Malwarebytes.

Does hushvert protect against this?

For the conversions a browser can do (images including HEIC, audio, archives, and PDF page operations), hushvert runs the work on your own device, so your file is never uploaded and there is no server round trip to carry malware or steal data. You can verify the no-upload behavior in airplane mode or the Network tab. A few conversions that a browser cannot do use a clearly labeled server lane that does upload; the interface tells you before you start.