Someone had complete control of a NordVPN server for weeks, could see everything passing through it, and NordVPN didn't notice for over a year. They didn't tell anyone for another 6 months.
high
NordVPN says it's based in Panama, but the owner is Dutch, employees are Lithuanian, and they have UK offices. Three of those are in spy alliances.
high
NordVPN was created by Tesonet, a Lithuanian company that also runs Oxylabs — a data mining operation controlling 60 million residential IP addresses. When journalist Didi Rankovic asked about the connection, NordVPN denied it. Then court filings emerged proving the overlap. Oxylabs had been sued by Luminati (Hola's commercial arm) for scraping. The "no-logs" VPN company shares founders with a company whose business is collecting data at scale.
Surfshark's Android app requests 42 permissions — including microphone, contacts, and phone numbers. It embeds a marketing tracker. For a VPN (a tool whose entire purpose is to hide what you do online), this is like hiring a bodyguard who also photographs your diary. Mullvad VPN requires zero permissions beyond network access. ProtonVPN requires three. Surfshark requires 42.
high
Surfshark installed a security certificate that could intercept your encrypted traffic, even when you clicked Cancel to refuse.
high
Surfshark's antivirus secretly logged every virus on your device linked to your identity. They only stopped when a journalist caught them.
After you lock your vault, your credit card numbers stay in memory. Any malware running on your machine can read them — even though the UI tells you the vault is locked and your data is safe.
medium
NordVPN has been caught making exaggerated security claims in marketing. When the same company runs your password manager, every security claim deserves extra scrutiny.
medium
Professional auditors keep finding new vulnerabilities every time they look. At DEF CON 33, a researcher demonstrated clickjacking that could trick users into performing actions they didn't intend.