Since it’s a peer-to-peer VPN, users in one place (say, Europe) that want to “appear” in another place (like America) are essentially routed through a user in their desired location. That means, unless you pay for Hola premium, you act as an “exit node” for other users, similar to services like Tor.
Unlike Tor, however, Hola users can’t opt out of being an exit node in the free version. The problem with being an exit node, of course, is that when someone is connected through you and does something illegal or against your ISP’s terms of service, you could be held accountable—and since Hola makes no promises to encrypt your traffic, it carries the same risk that using a service like Tor does (even if that risk is slight.)
This would all be fine if you were just an exit node for other users, but it turns out that Hola has been aggregating and selling the bandwidth of its user “exit nodes” through a service (which Hola also owns) called Luminati. This means anyone who wants to can essentially buy the bandwidth of Hola users, then direct it as they see fit—and that’s what one user did. He bought up a ton of bandwidth from Luminati and used it to attack anonymous message board 8chan. Hola says this was a mistake, and the user just got through their screening process, but you can see why this is incredibly sketchy behavior.