← VPNs
D

NordVPN

Serious concerns
Nord Security · 🇵🇦 Panama
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.nordvpn.android
Manufacturer: Nord Security

⚠️ The bottom line

Someone had complete control of a NordVPN server for weeks, could see everything passing through it, and NordVPN didn't notice for over a year. They didn't tell anyone for another 6 months. NordVPN says it's based in Panama, but the owner is Dutch, employees are Lithuanian, and they have UK offices. Three of those are in spy alliances.

Legal jurisdiction
🇵🇦 Panama (headquarters)
Law 81 (2019)
Basic data protection. Enforcement weak — Panama's appeal is corporate secrecy, not privacy protection
Spying
3/4 HIGH
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Honesty
3/4 HIGH
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
8Contradictions
1Critical
4High
3Medium
5Sources
Findings by concern
Spying 3/4 HIGH 2 findings
⚡ highregulatory findings vs policy claims
NordVPN says it's based in Panama, but the owner is Dutch, employees are Lithuanian, and they have UK offices. Three of those are in spy alliances.

What they claim: 'Based in Panama' -- outside surveillance alliances.

What we found: Panama is only the VPN subsidiary. Parent Nord Security: Netherlands (14 Eyes). Employees: Lithuania (EU). Offices: UK (Five Eyes), Poland, Germany. Jurisdictional shield untested if intelligence agencies pressure Dutch parent.

⚡ highpolicy claims vs regulatory findings
NordVPN was created by Tesonet, a Lithuanian company that also runs Oxylabs — a data mining operation controlling 60 million residential IP addresses. When journalist Didi Rankovic asked about the connection, NordVPN denied it. Then court filings emerged proving the overlap. Oxylabs had been sued by Luminati (Hola's commercial arm) for scraping. The "no-logs" VPN company shares founders with a company whose business is collecting data at scale.

What they claim: NordVPN is an independent privacy company with no conflicts of interest.

What we found: Incubated at Tesonet alongside Oxylabs (60M+ residential IP data mining). Co-founder and Tesonet CEO both directors of payment processor. Luminati/Hola sued naming NordVPN. Admitted HolaVPN affiliate partnership.

Data Sharing 2/4 MODERATE 1 finding
⚡ highapp permissions vs policy claims
NordVPN's app includes a marketing tracker that records your device fingerprint and IP. The two most private VPNs have zero trackers.

What they claim: 'Privacy is our priority' -- NordVPN protects users from tracking.

What we found: Android app: AppsFlyer (marketing tracker + IP), Firebase Analytics (stores ad ID 60 days), CrashLytics. 27 permissions. German researcher confirmed active transmission. Compare: Mullvad 0 trackers.

Security 3/4 HIGH 4 findings
⚠️ criticalfirmware analysis vs policy claims
Someone had complete control of a NordVPN server for weeks, could see everything passing through it, and NordVPN didn't notice for over a year. They didn't tell anyone for another 6 months.

What they claim: NordVPN's server infrastructure is secure and protects user data.

What we found: 2018 Finland server breach: attacker had 'God Mode' via datacenter's undisclosed remote management system. TLS and OpenVPN CA keys compromised. NordVPN did not detect the breach. 19-month disclosure delay. Up to 200 users at theoretical risk.

⚡ highpolicy claims vs firmware analysis
In March 2018, an unauthorised person accessed a NordVPN server in Finland. NordVPN discovered the breach but didn't tell anyone for 19 months — until journalist Zack Whittaker broke the story in October 2019. NordVPN's response: the server "did not contain any user activity logs." Their audit reports proving this? Locked behind a login wall that requires creating a NordVPN account to access.

What they claim: NordVPN is transparent and honest about its practices.

What we found: 19-month breach disclosure delay. Denied Tesonet connection before admitting 'service provider.' Deflected tracker questions. Audit reports gated behind login. IVPN: 4/5 misleading claims.

⚫ mediumfirmware analysis vs policy claims
NordVPN's "Threat Protection" feature — its key differentiator from competitors — has never been independently audited for privacy. The VPN tunnel itself has been audited by PricewaterhouseCoopers and Deloitte, but the feature that actively scans your traffic for threats operates on trust alone. You have to take NordVPN's word that the malware scanner protecting you isn't also reading your traffic.

What they claim: NordLynx provides superior privacy through its double NAT innovation.

What we found: Proprietary double NAT modification to WireGuard has NOT been independently audited in published report. Deloitte audits are attestation-style, not deep cryptographic analysis.

⚫ mediumpolicy claims vs app permissions
NordVPN calls its encryption "military-grade" in advertising — a meaningless marketing term. AES-256 encryption is the same encryption used by every reputable VPN, every bank, and every HTTPS website. NordVPN's ads promise a level of privacy no VPN can deliver: they can't protect you from the websites you log into, the apps on your phone, or the DNS requests your ISP can still see. The marketing sells a fantasy; the product sells a tunnel.

What they claim: 'Military-grade encryption' provides the highest security.

What we found: Standard AES-256/ChaCha20 identical to every VPN. Meaningless marketing term. 300M+ YouTube views. IVPN scored 4/5 misleading. Accidentally sponsored white nationalist.

Honesty 3/4 HIGH 1 finding
⚫ mediumpolicy claims vs regulatory findings
NordVPN doesn't log what you browse (proven), but collects your email, payment info, device type, ISP name, and usage flag. Mullvad collects none of that.

What they claim: 'Strict no-logs policy' -- nothing is tracked.

What we found: Collects: email, payment data, 90-day activity flag, 15-min session data, device/connection metadata. 2024 court order validated no traffic data. But not 'zero logs.' Mullvad requires no email, accepts cash.

Sources