There is not a single way in which VPNs work, there are a few different types. However, there are some general things we can say about VPNs. First of all, if they are low latency they are weak to the general anonymity attacks against all currently known low latency anonymity systems. This means that they provide anonymity from passive attackers by making it difficult for them to see where your traffic enters AND exits. If an attacker can see the entry AND exit of your traffic, they can deanonymize you regardless of the sort of VPN you are using or if the VPN nodes themselves are compromised. This deanonymization attack can also be carried out regardless of the number of intermediary nodes that you route your traffic through from entry to exit. If an attacker can not simultaneously monitor your entry and exit points, they will need to either work their way from your exit point to your entry point (if they are, for example, the website you are visiting, or someone who is monitoring it), or from your entry point the the exit point (if they are watching you and trying to determine which website you are visiting). This is speaking strictly in terms of what I would call signals intelligence, there are attacks that can identify pre-fingerprinted websites through the encryption that is provided by the *overwhelming majority* of VPN providers, and this could allow such an attacker to determine the website you are visiting even if they can not observe your actual exit traffic. With many VPN providers they will offer a limited number of entry and exit points. An attacker going against these services is less concerned with middle nodes. For example if you use a provider with many nodes that only allows entery with a node in USA and exit with a node in Netherlands, the attacker doesn't necessarily need to get logs from the middle nodes if they can identify the provider who owns the exit you are using and determine which entry you must have used. So in these cases a true back or forward trace of logs may not be required as the attacker knows where the logs they are really interested in are stored already. The anonymity of a VPN is largely provided by how the provider is structured. If the nodes you are using are in ten different countries but are owned by a provider in USA, a single warrant in USA is probably all that is required to compromise all ten of their hops. Some of the better VPN providers have structured themselves in such a way that a warrant is required to the operator of each hop, and this is certainly advantageous from a legal resistance perspective. At the end of the day, a VPN can provide anonymity that is fed resistant. This can be seen by simple open source intelligence gathering, there have been numerous cases where the botnet operator could not be traced until they forgot to use VPN. Of course, one must also take into consideration the fact that misinformation could be being fed through open source channels, giving the impression that the botherder forgot to use VPN when in reality their VPN was compromised. However, at the end of the day there are no cases of people who used Tor being traced by law enfocement, and there are thousands of cases of people who used VPN providers being traced by law enforcement. It is largely a matter of time for either of these solutions, eventually you can be traced. Even with extremely anonymous solutions such as mix networks it is largely just a matter of time before a global passive attacker deanonymizes you, unless there is constant rate cover traffic. And low latency solutions provide absolutely no protection from global passive attackers. It is really an enormously large topic and I am going to need you to ask something more specific than "how does vpn work and how is it anonymous" to give you a good answer, without typing out a very large amount of information, especially as you apparently would need a large amount of terminology explained to you before the merits of a VPN can be properly analyzed.