I looked into where your files go when you “Convert” them online. It’s worse than you think.

Mike Taylor — Sun, 22 Feb 2026 19:22:19 +0000

Last year I needed to sign a PDF. A rental contract.

I didn't think about it. Googled "sign PDF online." Clicked the first result. Uploaded my contract. Added my signature. Downloaded the signed file. Closed the tab.

Then I wondered: where did my signed contract just go?

I'm a developer. I build web tools for a living. So I started digging.

What I found is the reason I spent the past month building my own converter.

The FBI called this "rampant"

In March 2025, the FBI Denver Field Office issued a public warning about free online file converters. Not a vague advisory. A proper warning, from an assistant special agent who used the word "rampant."

Here's the thing: some of these converters actually work. They convert your file. You get your PDF or JPEG. Everything looks normal.

But the output file has malware baked in. Invisible. Already on your machine.

And while your file sits on their server? They scrape it. Social security numbers. Bank details. Passwords. Crypto wallet seeds. Whatever the document contains.

Security researchers at CloudSEK identified specific malicious sites: docu-flex.com, pdfixers.com, candyxpdf.com. That last one impersonated a well-known legitimate converter. Thousands of people visited it in a single month before it got taken down.

Malwarebytes confirmed more fake converter domains distributing malware: imageconvertors.com, convertitoremp3.it, convertisseurs-pdf.com.

These sites show up in normal Google searches. You wouldn't know they're dangerous until it's too late.

MIT tells its people: don't use them

Not "be careful." Not "pick trusted ones."

MIT's IT department published a notice telling staff and students to not use online file converters. Full stop.

This is MIT. Not your paranoid uncle.

OK but that's the criminals. The "real" converters are fine, right?

I thought so too. Then I looked at the trackers.

I used Ghostery's WhoTracks.Me database. It's public, independent, and anyone can verify the numbers. Here's what I found on some of the biggest names in the space:

One of the most popular file converters on the internet loads 40 unique trackers on its pages. 7.42 trackers on average per page. Facebook's tracking pixel fires on 70% of page loads.

What does Facebook learn from that? Not the content of your PDF. But it knows you visited. It knows you uploaded something. It builds a behavioral profile: this person signs rental contracts on Tuesday evenings. That goes into an ad auction. You might start seeing ads for accounting software and you'll never know why.

Amazon Advertising. Criteo. Media.net. AppNexus. All loading in the background while you compress a photo.

Another popular PDF tool, one that markets itself as privacy-focused and ISO certified, loads 24 trackers. Microsoft Advertising on 65% of page visits.

And the one that surprised me most? An image compression tool that people recommend all the time as "the clean option." 75 unique trackers. PubMatic, AppNexus, The Trade Desk, Magnite, Taboola. More trackers than the one with the bad reputation.

Even the cleanest mainstream converter I found still had 16.

77 million people found out the hard way

In 2020, a PDF service called Nitro got breached. 77 million user records. Email addresses, full names, hashed passwords, company names, IP addresses.

It gets worse.

The hacker group ShinyHunters claimed they also stole 1 terabyte of actual user documents. BleepingComputer reported that document titles in the breach revealed files from Google, Apple, Microsoft, Chase, Citibank. Corporate strategies, pricing documents, product research.

The database was auctioned on hacker forums. Then leaked publicly.

Nitro's first response? They told the Australian Stock Exchange it was a "low impact security incident" with "no customer data impacted." UpGuard's analysis proved that wasn't true.

Different kind of scam. Less dramatic. Way more common.

A site called online-file-converter.com charges €0.50 for a single conversion. Sounds fair, right? Except that payment quietly enrolls you in a €47.90/month subscription.

Forty-eight euros a month. Because you converted one file.

Trustpilot is full of people who discovered the charges months later. No reminder email. Confirmation landing in spam.

Most converters delete files within a few hours.

But one well-known converter, millions of users, operating since 2006, keeps your uploads for 7 days.

A full week. Your tax return, your medical records, your rental contract, sitting on someone else's server. I couldn't find a good explanation for why.

The SEO poisoning trick

There's a malware family called Gootloader. It targets file converter search queries specifically.

The technique is called SEO poisoning: manipulating Google results to push malicious sites to the top. You search "convert PDF to Word free." You click a result that looks perfectly normal. You download what looks like your converted file. It's actually a JScript payload that installs a backdoor on your machine.

Red Canary ranks Gootloader in its top 10 threats. It can drop banking trojans, Cobalt Strike beacons, or ransomware. And its main way in? Fake document tools sitting in Google Search results.

The more you search for file converters, the more you're exposed to malware pretending to be one.

So how do free converters pay the bills?

Nobody seems to ask this question.

Servers aren't free. Bandwidth isn't free. Processing millions of conversions costs real money.

If there's no subscription and no paywall, the money comes from advertising. Your upload page is an ad impression. Your conversion page is another one. Your download page is a third. Three page loads, three ad views, dozens of trackers firing each time.

The underlying tech has been free for decades. ImageMagick, FFmpeg. Converting a HEIC to JPEG takes about 200 milliseconds of server time.

You're not the user. You're the inventory.

So I built something else

I'm not going to pretend I'm saving the world here. I built a file converter. The technology itself isn't new.

But I built it with rules I wish existed everywhere:

No account. Upload a file. Get a file. Done.

No ads. An upload button and a download button. That's the whole page.

No trackers. I use Umami for analytics. It doesn't collect personal data. No Google Analytics. No Facebook pixel. No session recording. No fingerprinting. Zero trackers on WhoTracks.Me.

Files gone within 24 hours. Automatically deleted. I don't want your files and I have no reason to keep them.

One file is always free. Not "free trial." Not "free with watermark." Not "free but give us your email." Just free.

If you need to convert 50 files at once, that costs €1. One euro. One time. No subscription.

The honest part

The SEO competition in this space is insane. Search "compress image online" and you'll see sites with domain ratings above 80, backed by millions in venture capital, with a decade of backlinks. I'm one person. I'm not going to outrank them in English. Probably not this year, maybe not ever.

But I keep thinking about the person uploading a medical form at 11pm on a Sunday. Or the job applicant who needs to shrink a photo to 2MB for an application portal. Or someone merging PDFs for their landlord.

Those people don't know about the trackers. They don't know about the malware in the search results. They just need their file to be smaller or in a different format.

At the very least, I built something I can use myself and point my friends and family to without worrying about what happens to their files.

myfiletool.com. 96 conversion tools. 30+ formats: HEIC, RAW photos, PSD, WebP, AVIF, PDF merge, image compression. Available in 16 languages.

I'm also building a full PDF editor. Edit text, fill forms, annotate pages, all in the browser. No install, no Adobe subscription.

Maybe nobody will use it. Maybe this post disappears and nobody reads it.

But at least when someone asks me "where did my file go?" I have an honest answer.

Nowhere. It's already deleted.

Sources: FBI Denver Field Office · MIT IT · CloudSEK · Malwarebytes · BleepingComputer · UpGuard · Have I Been Pwned · WhoTracks.Me · Red Canary · Zamzar Privacy Policy · Trustpilot

DEV Community: Mike Taylor