You’ve seen the ads. Some YouTuber casually mentions that this video is sponsored by a VPN, tells you it’ll protect you from hackers, keep your data private, and make you invisible online. The messaging is consistent, polished, and reassuring.
The reality has been messier.
Over the past decade, VPN companies have been caught in server breaches with delayed disclosures, hired people with histories in state-backed hacking operations, been acquired by companies with adware roots, cooperated with the FBI despite claiming they keep zero logs, and in at least one case, turned their own users into proxy infrastructure that strangers could exploit. That’s before you get to the thousands of Android VPN apps nobody has audited, many of which appear to be data collection businesses dressed in privacy branding.
None of this means every VPN is a scam. Some are genuinely useful tools. But the industry has spent years selling trust on the basis of marketing claims that don’t always survive contact with real-world pressure. Here’s what actually happened.
NordVPN: The Breach They Sat On for Over a Year
In March 2018, an attacker accessed a NordVPN server in Finland hosted at a third-party data center. NordVPN didn’t disclose this publicly until October 2019, roughly eighteen months later. By then, researchers had already started circulating evidence online.
NordVPN’s defense was technically coherent: because the company doesn’t store activity logs, no user browsing data was exposed. The breach was framed as a vendor problem. The attacker had gotten in through an insecure remote management system that the data center had left open. NordVPN said it hadn’t even known the system existed.
That may all be accurate. But the eighteen months of silence is the actual story.
A company that markets itself on trust took a year and a half to tell its users that an unauthorized third party had been inside its infrastructure. The question isn’t only what was exposed. It’s what you do with a privacy product whose provider discovers a breach and says nothing for eighteen months.
The incident also exposed something structural about how VPNs operate: they rely heavily on data centers they don’t own or fully control. That creates attack surface that isn’t always visible even to the VPN company itself.
ExpressVPN: The Problem with Hiring a Project Raven Veteran
In 2021, the U.S. Department of Justice announced that three former American intelligence and military personnel had agreed to pay a combined $1.68 million under a deferred prosecution agreement related to Project Raven. Project Raven was a surveillance operation run for the United Arab Emirates government that targeted journalists, dissidents, and foreign officials using offensive hacking tools.
One of those three individuals was Daniel Gericke. At the time of the announcement, he was ExpressVPN’s Chief Information Officer.
ExpressVPN’s response was awkward. The company said it had known about the DOJ investigation when it hired Gericke and considered his technical background valuable. Gericke stepped down.
What’s hard to square is the basic premise. ExpressVPN sells protection from surveillance. It markets itself to journalists, activists, and people in countries where being monitored by a government is a real risk. Its CIO had signed a deferred prosecution agreement with the DOJ over his role in building surveillance infrastructure for a government targeting those same categories of people.
Gericke’s violations predated his time at ExpressVPN, and the DOJ’s case didn’t allege any misconduct there. But the hiring decision itself is a strange one for a company whose entire product is built on the idea that your connection is safe from exactly the kind of work Gericke had done.
Kape Technologies: Four Brands, One Owner, Zero Disclosure
In September 2021, Kape Technologies acquired ExpressVPN for $936 million. That acquisition wasn’t notable just for the price. It was notable because of what Kape already had.
By the time ExpressVPN joined the portfolio, Kape owned CyberGhost, Private Internet Access, and ZenMate. Four major VPN brands, presented in reviews and comparison articles as independent competitors, all under the same parent company.
Kape’s history didn’t help with optics. The company was formerly called Crossrider, a browser extension platform linked to adware distribution. Kape rebranded and shifted into privacy tools, but the Crossrider years didn’t disappear, and privacy-focused users didn’t forget them.
The structural problem is real regardless of what you think about Kape’s specific history. When a consumer is comparing VPN options and four of those options are subsidiaries of the same parent, they’re not actually comparison shopping. They’re choosing between house brands at the same store. Each brand runs separate apps and separate marketing. The shared ownership isn’t advertised.
What does shared infrastructure mean for your data? How does a common parent company’s policies affect subsidiaries? These are questions Kape has never been required to answer in any clear way.
PureVPN and the FBI: What “No Logs” Has Always Actually Meant
In 2017, a Massachusetts man was arrested on cyberstalking charges. Among the evidence: connection data obtained from PureVPN.
PureVPN marketed itself as a no-logs VPN. The FBI’s criminal complaint showed that PureVPN had provided records connecting the suspect’s home IP and a hotel IP to the same account at specific times, which helped place him at particular locations and establish his identity. The FBI got what it needed.
PureVPN’s explanation drew a careful line: it logs connection metadata, not browsing activity. IP addresses and timestamps, not what users actually do online. That distinction is technically real. It is also exactly the information investigators need to identify someone.
This case is probably the most useful controversy in this list because it clarifies something the industry has never been forced to define. “No logs” is not a single standardized claim. Some VPNs keep no records of any kind. Others keep connection metadata but not activity data. Others run rolling logs for troubleshooting that delete after 24 hours. The marketing language treats all of these as equivalent.
The test that would actually mean something is this: has the company been asked by law enforcement for user data and genuinely had nothing to hand over? PureVPN was asked. It had something.
Hola VPN: Your Privacy Tool Was Also Someone Else’s Exit Node
Hola is a free VPN. In 2015, researchers discovered that Hola’s free model came with terms that most users hadn’t understood. Users who installed Hola weren’t just using bandwidth from other Hola users. They were also providing their own bandwidth to Luminati, a commercial residential proxy network that sold routing access through Hola’s user base to paying business customers.
In practice: while you thought you were browsing through someone else’s connection, an unknown paying customer somewhere might be routing their traffic through yours. If that customer was doing something problematic, investigators would find your IP.
This wasn’t theoretical. Hola’s bandwidth was used in a distributed attack on 8chan during that period, which made the risk concrete.
Hola has since made the arrangement with Bright Data, the rebranded Luminati, more explicitly part of its disclosed terms. But the original controversy made a broader point that still applies: free VPNs have operating costs. When there’s no subscription and no obvious revenue model, the company is getting value from something. Usually that something is you.
Facebook Onavo: When the VPN Is the Threa
Between 2013 and 2018, Facebook operated a VPN app called Onavo Protect. The app promised to protect connections and warn about risky apps. It had the interface and branding of a security tool.
What Onavo actually did was collect data on which apps users were running, how long they spent in each one, and traffic patterns, then send that information back to Facebook. Facebook used Onavo data to track the growth of WhatsApp before acquiring it. It monitored Snapchat engagement. It built a detailed picture of the mobile app landscape by watching millions of users who believed they were using a privacy tool.
Apple removed Onavo from the App Store in 2018 after determining it violated data collection policies. Facebook pulled it from Google Play the following year.
Onavo is worth including here because it strips the VPN concept to its mechanical reality. A VPN routes your traffic through a tunnel. The tunnel operator can see what passes through. When that operator is an advertising company with direct financial incentives to understand your behavior, the privacy framing isn’t just misleading. It’s backwards.
India’s Logging Law: The Jurisdiction Problem Made Obvious
In 2022, India’s CERT-In issued directions requiring VPN providers operating in India to collect and retain user data including names, IP addresses, and usage records for a minimum of five years. The rules took effect in June 2022.
For companies that had built their product around not keeping such records, compliance meant becoming a different product. Several major providers — ExpressVPN, NordVPN, Surfshark, and others — responded by pulling their physical servers from India and switching to virtual servers hosted elsewhere. They could still offer Indian IP addresses, but without infrastructure subject to Indian law.
Providers that stayed and complied with the rules undermined their no-log commitments in one of the world’s largest internet markets without much fanfare.
The India situation makes an argument VPN companies would rather not have: jurisdiction-dependent privacy guarantees are only as good as the laws of the places where infrastructure sits. VPN companies frequently market their headquarters location as a privacy feature (“based outside the Five Eyes”). But infrastructure is physically located somewhere, and those laws apply. When those laws require logging, the no-log promise breaks or the provider leaves.
ExpressVPN’s DNS Leak: How Bugs Quietly Undo Privacy
A different category of failure: in 2023, a bug in ExpressVPN’s Windows client affected users of the split-tunneling feature. DNS requests that should have traveled through the VPN tunnel were instead going through the system’s default resolver, meaning internet providers and anyone else in position to monitor DNS traffic could see which sites users were visiting. The bug reportedly went undetected for approximately two years.
DNS leaks are not dramatic. There’s no attacker, no data center breach, no policy failure. Just code doing something its authors didn’t intend, quietly working against the protection users assumed they had.
ExpressVPN is among the more heavily audited providers in the industry. It publishes audit reports and maintains a transparent public posture around security practices. A two-year DNS leak in a flagship Windows app doesn’t erase that posture, but it does illustrate the gap between “we got audited” and “we are secure.” The two are not the same thing.
The Android VPN Problem Nobody Mentions
In 2026, an investigation found that over 75% of Android VPN apps examined failed basic transparency tests. The problems included vague or missing privacy policies, unclear ownership, weak support channels, and websites that provided no real information about how data was handled.
This number deserves more attention than it gets.
The VPN controversies that generate coverage tend to involve recognizable names — NordVPN, ExpressVPN, PureVPN. These companies have PR teams, reputational stakes, and some incentive to address problems when they get attention. But the Google Play Store has thousands of VPN apps from developers with no public presence, no audits, and millions of installs. Nobody is scrutinizing their privacy policies. Nobody is testing them for leaks. Nobody is asking whether the people who built them have any particular interest in protecting the people using them.
The risk in focusing entirely on big-brand controversies is that it creates an implied safety of familiar names. In practice, the unknown VPN with eight million downloads and a four-line privacy policy in broken English may be a worse choice than any provider named in this article, even accounting for all of the above.
What This Tells You
The controversies here don’t form a single clean argument that VPNs are fraudulent. NordVPN’s breach didn’t expose user data. PureVPN helping catch a cyberstalker is something many users would consider a reasonable outcome. Kape may run its acquired brands with full operational independence. The India server exits may actually be evidence that no-log policies were taken seriously rather than quietly abandoned.
But the pattern across all of them is the same: VPN marketing promises things the product cannot always deliver, and the conditions under which those promises break aren’t disclosed clearly.
Before paying for a VPN, there are two questions worth asking. Has this company actually been tested — by legal demands, by researchers, by real-world pressure — and come through with its claims intact? And if your reason for using a VPN is something that actually matters to you, do you understand the specific ways this particular product can still fail?
Those two questions will do more for your privacy than any ad you’ll ever see.
This post first appeared at - The CyberSec Guru