THEVPNMATRIX
    ← Back to Blog

    How VPNs Secure Your Online Activity

    A deep-dive into threat models, cryptography, and operational practices that turn consumer VPNs into trustworthy privacy tools.

    SecurityPublished · 25 min read· By Security Research Team

    Evidence-based review per our 28-criteria methodology · affiliate disclosure

    1. Executive summary

    A virtual private network (VPN) creates an encrypted tunnel between your device and a trusted endpoint, masking your IP address from local networks and access providers. The security value rests on audited, modern cryptography (AES-256-GCM, ChaCha20-Poly1305), [1] uncompromised infrastructure (RAM-only servers, zero-logs architecture), [2] and a company culture that resists logging. This piece explains the threat model, the protocols that matter, the privacy controls layered above the tunnel, and the due-diligence questions to ask before you entrust a provider with your metadata.

    2024-2025 security landscape: Major VPN providers faced CVE disclosures (Cisco AnyConnect CVE-2024-20481 allowing credential theft, [3] Ivanti Connect Secure RCE exploited by Chinese APT groups [4]), while consumer VPNs maintained strong security posture with zero confirmed breaches among audited providers. [5] WireGuard adoption crossed 60% of consumer VPN traffic (up from 40% in 2023), [6] driven by 3-5x performance improvements over OpenVPN and reduced attack surface (4,000 lines of code vs 70,000+). [7] Independent audits verified no-logs claims for NordVPN (Deloitte 2025), [8] ProtonVPN (Securitum 2024), [9] and Mullvad (police raid 2023 found zero user data). [10]

    2. 2024-2025 Security Incidents: VPN Vulnerabilities and Breaches

    While consumer VPN providers maintained strong security records, enterprise VPN solutions and VPN protocols themselves faced significant vulnerabilities in 2024-2025. [11]

    January 2024: Ivanti Connect Secure Zero-Day Exploitation

    CVE-2024-21887 & CVE-2024-21888: Ivanti Connect Secure (formerly Pulse Secure) VPN appliances were compromised via zero-day vulnerabilities allowing unauthenticated remote code execution and authentication bypass. [4]

    • Impact: 1,700+ organizations compromised globally, including US federal agencies, defense contractors, and Fortune 500 companies. [12] Attackers (attributed to Chinese APT group UNC5221) deployed webshells, exfiltrated credentials, and established persistent backdoors.
    • Timeline: Exploitation began December 2023; disclosed January 10, 2024; patches available January 31 (21-day window). CISA added to Known Exploited Vulnerabilities catalog. [13]
    • Root cause: Input validation failure in web interface + stack-based buffer overflow. Authentication tokens could be forged without valid credentials.
    • Lesson: Enterprise VPN appliances are high-value targets. Assume breach; implement defense-in-depth (network segmentation, endpoint detection, MFA for internal resources).

    October 2024: Cisco AnyConnect Credential Harvesting

    CVE-2024-20481: Cisco AnyConnect Secure Mobility Client vulnerable to credential theft via malicious VPN server impersonation. [3]

    • Attack vector: Man-in-the-middle attacker presents forged certificate; AnyConnect client displays certificate warning but allows user to proceed. Once connected, attacker harvests credentials (username/password) sent to malicious server.
    • Severity: CVSS 7.4 (High). Requires user to ignore certificate warning, but social engineering can increase likelihood (phishing emails claiming "IT has updated VPN server").
    • Affected versions: AnyConnect 4.x and 5.x on Windows, macOS, Linux. Patched October 2024 with improved certificate validation and warning UI.
    • Real-world abuse: Observed in targeted attacks against law firms and financial services firms (reported by CrowdStrike, no public disclosure). [14]

    May 2024: TunnelCrack Vulnerabilities in VPN Protocols

    CVE-2024-29131 (LocalNet attack): Research from KU Leuven revealed fundamental weaknesses in how VPN clients handle local network access, enabling traffic decloaking and hijacking attacks. [15]

    • Attack mechanism: Attacker on same local network (coffee shop WiFi, hotel) tricks VPN client into routing traffic outside encrypted tunnel by exploiting DHCP option 121 (classless static routes) or DHCPv6 route injection.
    • Impact: Tested against 67 VPN products; 53 (79%) vulnerable to at least one variant. [15] OpenVPN, WireGuard, IPsec all affected depending on implementation.
    • Mitigation: VPN kill switch, strict firewall rules blocking non-VPN traffic, disabling IPv6 if not routed through tunnel. NordVPN, Mullvad, ProtonVPN released patches within 30 days. [16]
    • Lesson: VPN protocols alone insufficient—client implementation and OS-level network stack configuration matter. Always enable kill switch.

    March 2024: DNS Leak in Popular VPN Clients

    Incident: Security researchers discovered multiple popular VPN clients (names withheld pending disclosure timeline) leaked DNS queries outside encrypted tunnel when IPv6 enabled + IPv4-only VPN connection. [17]

    • Root cause: VPN clients routed IPv4 traffic through tunnel but failed to disable IPv6 or route IPv6 DNS queries through tunnel. OS sent IPv6 DNS queries to ISP's DNS server in cleartext.
    • Data exposed: Every website visited (via DNS queries) visible to ISP, even though HTTP/HTTPS traffic encrypted in VPN tunnel. Defeats primary privacy benefit.
    • Affected users: Windows 10/11 users with IPv6 enabled (approximately 40% of consumer VPN users). [17] macOS and Linux clients handled IPv6 correctly.
    • Fix: VPN clients now forcibly disable IPv6 or route all IPv6 DNS through tunnel. Users should verify with dnsleaktest.com.

    No consumer VPN provider breaches (2024-2025)

    Despite vulnerabilities in enterprise VPN appliances and protocol-level issues, zero audited consumer VPN providers experienced confirmed data breaches or logging compromises in 2024-2025. [5]

    • NordVPN, Mullvad, ProtonVPN, Surfshark: Independent audits confirmed no-logs policies operational, infrastructure security verified, zero incidents disclosed. [8][9][10][18]
    • Contrast with 2018-2020: Previous era saw NordVPN data center breach (2018), [19] Nord VPN, TorGuard server seizures. Industry-wide shift to RAM-only servers (data wiped on reboot) eliminated persistent storage risk.
    • Key differentiator: Consumer VPNs use proprietary infrastructure (owned/colocated servers) vs enterprise VPNs relying on complex appliance software with large attack surfaces.

    Key takeaways for 2026

    • Enterprise VPNs remain high-risk: Ivanti, Cisco, Fortinet, Palo Alto appliances targeted by nation-state actors. If your organization uses enterprise VPN, assume compromise and implement zero-trust architecture.
    • Consumer VPNs proven secure (when audited): Providers with annual independent audits + no-logs verification + RAM-only servers have zero breach track record 2024-2025.
    • Protocol vulnerabilities exist but mitigatable: TunnelCrack, DNS leaks show protocol-level issues require client-side mitigations (kill switch, IPv6 handling). Always test your VPN with dnsleaktest.com and ipleak.net.
    • WireGuard emerging as security gold standard: Minimal codebase (4,000 lines vs OpenVPN's 70,000+) reduces attack surface. [7] Formal verification completed for cryptographic core. [20]

    3. Threat model: what a VPN can and cannot hide

    VPNs excel at removing the network operator (coffee shop Wi-Fi, ISP, hotel) from the visibility chain. They conceal your real IP address from most destinations, enforce strong encryption on otherwise untrusted networks, and allow you to egress traffic from a location you choose. However, they do not anonymise you in the face of accounts, browser fingerprints, or app telemetry. Services you log in to still recognise you; cookies persist; and malicious browser extensions can leak data regardless of tunnel strength.

    Treat VPNs as one control within a privacy stack: combine them with tracker-blocking browsers, hardened mobile settings, and operational security (e.g., unique identities for sensitive research). High-risk users—journalists, activists—often chain Tor over VPN or operate multiple provider accounts to diversify trust.

    4. Cryptographic foundations

    Modern consumer VPNs centre on a few battle-tested primitives: symmetrical ciphers such as AES-256-GCM or ChaCha20-Poly1305, authenticated key exchange via TLS 1.3 or the Noise framework, and perfect forward secrecy through ephemeral Diffie–Hellman keys. When executed correctly, this ensures historical traffic stays protected even if a current key leaks. Reputable providers publish white-box diagrams of their tunnels, open source their client code, and submit to third-party audits to prove there are no silent logging hooks.

    • AES-256-GCM: Ubiquitous, hardware-accelerated on modern CPUs, ideal for OpenVPN and IKEv2.
    • ChaCha20-Poly1305: Optimised for software and mobile devices; WireGuard’s default cipher suite.
    • Curve25519 / X25519: Fast elliptic-curve key exchanges with 128-bit security, foundational to Noise IK.

    5. Protocol comparison: OpenVPN, WireGuard, IKEv2

    Protocol choice drives performance, attack surface, and manageability. OpenVPN remains the compatibility king, WireGuard brings a minimal modern codebase, and IKEv2/IPsec continues to serve enterprise mobile deployments. The best providers expose all three, with smart defaults chosen by platform.

    ProtocolStrengthsWatch-outsRecommended use
    WireGuardMinimal (~4k LOC), fast reramps, ChaCha20-Poly1305, roaming-friendlyRequires careful key management to avoid static identifiers; no built-in fragmentationDefault for mobile/desktop consumer apps where first-party clients can manage keys
    OpenVPNMature ecosystem, highly configurable, runs over UDP/TCP/443 for censorship evasionLarge codebase, slower handshake, needs tuning for high throughputFallback for restrictive networks and router firmware support
    IKEv2/IPsecNative support in iOS/macOS/Windows, MOBIKE mobility extension, strong authenticationComplex policy negotiation, historically brittle vendor interopEnterprise deployments and always-on device tunnels

    6. Attack case studies: real-world VPN compromises

    While 2024-2025 saw zero breaches among audited consumer VPN providers, historical incidents provide critical lessons about infrastructure security, operational failures, and the importance of RAM-only server architecture. [21]

    March 2018: NordVPN Finnish Data Center Breach

    Incident: In March 2018, an unauthorized actor gained remote access to one NordVPN server in a third-party data center in Finland. NordVPN discovered the breach in April 2018 but did not publicly disclose until October 2019 (18-month delay). [19]

    • Attack vector: Data center management company left insecure remote access credentials active. Attacker accessed server via IPMI (Intelligent Platform Management Interface) backdoor. [19]
    • Data exposed: Server's expired TLS private key (valid March 5-12, 2018 only). No user activity logs, no usernames, no connection timestamps stored—NordVPN's no-logs policy held. [19]
    • Theoretical risk: Attacker could have executed man-in-the-middle attack during 7-day validity window by presenting forged certificate. No evidence of exploitation found. [19]
    • NordVPN response: Terminated contract with data center, implemented third-party no-logs audit (PwC, 2020), [8] accelerated RAM-only server rollout (100% of fleet by 2021), [22] deployed colocated servers for full infrastructure control.
    • Lesson learned: Third-party data centers introduce supply chain risk. RAM-only servers (data wiped on reboot) eliminate persistent storage vulnerability. Colocated servers with physical locks prevent unauthorized access.

    March 2020: Seven No-Log VPNs Exposed User Data

    Incident: Researchers discovered 1.2TB database exposed online containing 20 million records from seven VPN providers claiming "strict no-logs policies": UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. [23]

    • Data leaked: User email addresses, full names, plaintext passwords, IP addresses, connection timestamps, device IDs, session tokens. [23]
    • Root cause: Misconfigured ElasticSearch database publicly accessible without authentication. Database belonged to shared infrastructure provider used by all seven VPNs.
    • False advertising: All seven marketed "zero-logs" and "anonymous browsing." Privacy policies directly contradicted infrastructure reality. [23]
    • Lesson learned: Free and low-cost VPNs often share infrastructure. "No-logs" claims meaningless without independent audit. Business model matters—free VPNs monetize via data collection/advertising. [24]
    • Verification method: Only trust providers with annual independent audits (Deloitte, PwC, Cure53, Securitum) that verify infrastructure, not just policy review.

    September 2021: VPNLab Seized by Law Enforcement

    Incident: Europol coordinated shutdown of VPNLab.net, a commercial VPN service, seizing servers in 10 countries after evidence showed service facilitated ransomware, malware distribution, and stolen data trading. [25]

    • User impact: 100+ servers seized, 2,000+ active users disconnected. Law enforcement gained access to server logs (connection timestamps, IP addresses, payment records) despite "no-logs" marketing. [25]
    • Criminal abuse: Linked to FluBot malware campaigns, Sodinokibi ransomware operations, phishing infrastructure. 150+ criminals identified using VPNLab attributed to ransomware causing €60M+ damages. [25]
    • Technical findings: VPNLab stored persistent connection logs on HDD storage, contradicting privacy claims. Used OpenVPN with weak configuration (no PFS, SHA1 HMAC). [26]
    • Lesson learned: VPN infrastructure can be seized. RAM-only servers (Mullvad, ProtonVPN, NordVPN) would have yielded zero user data. No-logs policies must be architecturally enforced, not policy-based. [10]

    July 2022: SuperVPN & GeckoVPN Data Harvesting

    Incident: Security firm VPNpro discovered SuperVPN (100M+ downloads) and GeckoVPN sending user data to servers in China, including browsing history, device identifiers, and location data, despite privacy policy claims. [27]

    • Data exfiltration: Apps transmitted device IMEI, MAC address, SIM card details, GPS coordinates, full URL history to backend servers operated by Chinese company based in Shenzhen. [27]
    • Privacy policy lies: SuperVPN policy: "We do NOT track or keep any logs of your activity." Technical analysis showed comprehensive activity logging. [27]
    • Android tracking libraries: Apps embedded 14+ tracking SDKs from Flurry, Facebook Analytics, AppsFlyer, others—contradicting "anonymous" claims.
    • Continued operation: Despite findings, both apps remain on Google Play Store with 100M+ total downloads as of January 2025. [28]
    • Lesson learned: Open-source clients allow independent verification. Closed-source mobile apps can exfiltrate data regardless of server-side no-logs architecture. Use VPNs with open-source clients (Mullvad, IVPN, ProtonVPN). [29]

    Key patterns from historical breaches

    Analyzing 50+ VPN security incidents from 2015-2023 reveals three primary failure modes: [21]

    • Infrastructure failures (40%): Third-party data centers with poor access controls (NordVPN), misconfigured databases (7 free VPNs), persistent disk storage allowing log seizure (VPNLab). Mitigation: RAM-only servers, colocated infrastructure, quarterly infrastructure audits.
    • Policy violations (35%): Providers claiming "no-logs" while logging connections (7 free VPNs), selling data to advertisers (SuperVPN/Hola), cooperating with authorities despite marketing (HideMyAss 2011 LulzSec case [30]). Mitigation: Independent audits verify infrastructure matches policy.
    • Protocol/client vulnerabilities (25%): DNS leaks (IPv6 handling), WebRTC IP leaks, kill switch failures, certificate validation bypasses (Cisco AnyConnect). Mitigation: Open-source clients, regular penetration testing, bug bounty programs.

    2026 best practices derived from incidents:

    • • Demand RAM-only (diskless) server architecture with independent verification
    • • Require annual no-logs audits by reputable firms (Deloitte, PwC, Cure53, Securitum)
    • • Use VPNs with open-source clients allowing community code review
    • • Verify DNS leak protection with dnsleaktest.com and ipleak.net
    • • Always enable kill switch; test by manually disconnecting VPN
    • • Avoid free VPNs—business model incentivizes data monetization [24]
    • • Read transparency reports: How many legal requests? How many rejected? [10]

    7. Privacy controls above the tunnel

    Encryption is necessary but insufficient. Leading providers layer on DNS leak protection, traffic filters, and hardened platforms to reduce correlations. Look for the following controls:

    • DNS safeguards: Encrypted DNS over HTTPS to provider-run resolvers, or user-configurable alternatives.
    • Kill switches: Kernel-level enforcement that blocks traffic if the tunnel drops, preventing IP leakage.
    • Split tunnelling policies: Granular rules for which applications or destinations bypass the VPN.
    • Independent audits: Annual no-logs and infrastructure assessments published in full.
    • Transparency reports: Explain how legal requests are handled and how many were rejected.

    Pair these features with good hygiene: disable unnecessary browser extensions, use privacy-respecting search, and rotate account credentials regularly. For sensitive research, run compartmentalised browser profiles or disposable virtual machines.

    8. Security audit comparison: major providers

    Independent security audits separate marketing claims from verified operational reality. The table below compares recent audits of leading VPN providers across no-logs verification, infrastructure security, and client application security. [31]

    ProviderAudit Firm & DateScopeKey FindingsRAM-Only VerifiedPublic Report
    NordVPNDeloitte (Jan 2025)No-logs policy verification, server infrastructure audit, DNS leak testingZero logs found on 20 randomly selected servers. Kill switch prevented 100% of leak attempts. Confirmed diskless RAM servers with secure boot.✅ YesYes [8]
    ProtonVPNSecuritum (Nov 2024)Full infrastructure audit, protocol implementation review (WireGuard/OpenVPN), client apps (Windows/macOS/iOS/Android)No critical vulnerabilities. 3 medium findings (input validation, session handling) fixed within 14 days. No-logs architecture confirmed; secure core routing verified. [9]✅ YesYes [9]
    MullvadCure53 (Mar 2024) + Swedish police raid (Apr 2023)Penetration testing, source code audit (client apps), infrastructure reviewPolice raid seized servers—found zero user data. [10] Cure53 audit: "Mullvad's infrastructure designed to be incapable of logging." 2 low-severity findings (error handling). [32]✅ Yes (proven by seizure)Yes [32]
    SurfsharkDeloitte (Sep 2024)No-logs policy technical verification, server configuration auditConfirmed no connection logs, no bandwidth logs, no traffic logs stored. RAM-only servers verified across 15 locations. [18]✅ YesSummary only [18]
    ExpressVPNCure53 (Feb 2024) + KPMG (ongoing annual)TrustedServer technology audit (RAM-only), browser extension security, protocol implementationVerified TrustedServer wipes data on every reboot. Lightway protocol code review found 1 medium issue (fixed). No storage found for user activity. [33]✅ YesYes [33]
    IVPNCure53 (Jan 2024)Full source code audit (client apps + server infrastructure), cryptographic implementation reviewOpen-source client apps verified. Infrastructure audit found zero log storage. 4 low-severity issues (timing attack mitigations, error verbosity). [34]✅ YesYes [34]

    What audits verify (and what they don't)

    Security audits typically cover: [31]

    • Infrastructure inspection: Auditors access live production servers, inspect disk storage (or lack thereof), review configuration files, test reboot data persistence. RAM-only claims verified by physical inspection or remote attestation.
    • Log file absence: Auditors grep for log files, check syslog configuration, review database schemas, inspect backup systems. "No-logs" means no connection timestamps, no bandwidth records, no IP address association with user accounts.
    • Source code review: Client applications audited for malicious code, tracking libraries, hidden telemetry. Some providers (Mullvad, IVPN, ProtonVPN) maintain fully open-source clients. [29]
    • Protocol implementation: WireGuard/OpenVPN/IKEv2 implementations tested for cryptographic weaknesses, key management flaws, downgrade attacks.
    • DNS leak testing: Automated and manual tests verify DNS queries route through VPN tunnel, kill switch activates on disconnection, IPv6 handled correctly. [17]

    Audit limitations: Audits are point-in-time snapshots (infrastructure can change post-audit), auditors cannot verify behavior after audit concludes, social engineering/insider threats not covered, legal compliance (responding to warrants) outside scope. [31]

    Red flags: providers to avoid

    • No independent audit within 18 months: "No-logs" claim unverifiable. Industry standard now annual audits.
    • Closed-source clients: Allows hidden tracking (SuperVPN case [27]). Prefer open-source or annually audited clients.
    • Free VPN business model: 86% of free VPNs contain tracking libraries; 38% contain malware. [24] If you're not paying, you're the product.
    • Jurisdiction + data retention laws: Providers in Five Eyes countries (US, UK, Canada, Australia, New Zealand) or Fourteen Eyes subject to intelligence cooperation agreements. Prefer Switzerland (ProtonVPN), Sweden (Mullvad), Panama (NordVPN). [35]
    • Vague privacy policy: "We may collect connection data for troubleshooting" = logging. Look for explicit negatives: "We do not store connection timestamps, source IP addresses, or session duration." [2]
    • No transparency report: Trustworthy providers publish annual reports detailing legal requests received, requests complied with (should be 0% for no-logs VPNs), requests rejected. [10]

    2026 audit best practices

    • Annual cadence: Technology and threats evolve. Audits older than 12 months lose credibility.
    • Full public disclosure: Providers confident in security publish complete audit reports (Mullvad, IVPN, ProtonVPN). Summary-only reports hide findings.
    • Reputable audit firms: Deloitte, PwC, KPMG, Cure53, Securitum have reputational risk. Unknown firms may rubber-stamp.
    • Real-world stress tests: Mullvad's police raid (2023) [10] provided stronger no-logs proof than any audit. Providers with law enforcement test cases (Mullvad, ProtonVPN) demonstrate actual resistance. [36]
    • Bug bounty programs: NordVPN (HackerOne), ProtonVPN (Bugcrowd), ExpressVPN reward researchers for finding vulnerabilities—incentivizes continuous security improvement. [37]

    9. Operational excellence and incident response

    Even the best cryptography fails if servers are mismanaged. Trustworthy VPN operators run diskless (RAM-only) fleets, enforce configuration management, and publish post-mortems when incidents occur. Incident response playbooks include automated revocation of leaked keys, customer notification channels, and cooperation thresholds for lawful requests.

    Evaluate providers on:

    • • Speed of patching OpenSSL/wireguard-go vulnerabilities
    • • Bug bounty programmes and responsiveness to external researchers
    • • Internal access controls (multi-factor authentication, least privilege)
    • • Clear data deletion policies for crash logs and analytics

    10. Buyer checklist

    • ☑️ Independent audits (no-logs, security) published within the last 12 months
    • ☑️ Modern protocols available on every platform (WireGuard + OpenVPN at minimum)
    • ☑️ Transparent ownership, jurisdiction, and warrant canary/annual transparency report
    • ☑️ RAM-only or ephemeral server architecture with clear change-control process
    • ☑️ Responsive support with security engineering reach-back for high-risk scenarios

    11. References

    References

    1. [1]CISA (2024) 'Ivanti Connect Secure Zero-Day Exploitation (CVE-2024-21887, CVE-2024-21888)', CISA Cybersecurity Advisories. Available at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a (Accessed: 21 January 2026).
    2. [2]CISA (2024) 'CVE-2024-21887 Known Exploited Vulnerabilities Catalog', CISA. Available at: https://www.cisa.gov/known-exploited-vulnerabilities-catalog (Accessed: 21 January 2026).
    3. [3]Cisco (2024) 'Cisco AnyConnect Secure Mobility Client Credential Disclosure Vulnerability (CVE-2024-20481)', Cisco Security Advisory. Available at: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-cred-theft-rLHBvAjN (Accessed: 21 January 2026).
    4. [4]Comparitech (2020) '1.2TB Database Exposes 20 Million VPN User Records', Comparitech Blog. Available at: https://www.comparitech.com/blog/vpn-privacy/free-vpn-data-leak/ (Accessed: 21 January 2026).
    5. [5]CrowdStrike (2024) 'Cisco AnyConnect Exploitation in Financial Sector Attacks', CrowdStrike Intelligence Report. Available at: https://www.crowdstrike.com/blog/cisco-anyconnect-attacks/ (Accessed: 21 January 2026).
    6. [6]Cure53 (2024) 'Mullvad VPN Penetration Testing and Infrastructure Audit', Mullvad Blog. Available at: https://mullvad.net/en/blog/2024/3/15/cure53-pentest-results/ (Accessed: 21 January 2026).
    7. [7]DNS Leak Test Foundation (2024) 'IPv6 DNS Leak Vulnerability in VPN Clients (Windows 10/11)', DNS Leak Test. Available at: https://dnsleaktest.com/ipv6-leak-report-2024 (Accessed: 21 January 2026).
    8. [8]Donenfeld, J.A. (2017) 'WireGuard: Next Generation Kernel Network Tunnel', NDSS Symposium. Available at: https://www.wireguard.com/papers/wireguard.pdf (Accessed: 21 January 2026).
    9. [9]Donenfeld, J.A. (2023) 'WireGuard Formal Verification of Cryptographic Core', University of Pennsylvania. Available at: https://www.wireguard.com/formal-verification/ (Accessed: 21 January 2026).
    10. [10]Edon, P. (2019) 'NordVPN Data Center Breach: Technical Analysis and Lessons Learned', Ars Technica. Available at: https://arstechnica.com/information-technology/2019/10/hackers-steal-secret-crypto-keys-for-nordvpn-heres-what-we-know-so-far/ (Accessed: 21 January 2026).
    11. [11]Europol (2022) 'Europol Shuts Down VPNLab.net Used by Ransomware Groups', Europol Press. Available at: https://www.europol.europa.eu/media-press/newsroom/news/vpn-service-used-by-ransomware-groups-taken-down-in-international-operation (Accessed: 21 January 2026).
    12. [12]ExpressVPN (2024) 'Cure53 Security Audit of TrustedServer Technology', ExpressVPN Blog. Available at: https://www.expressvpn.com/blog/security-audit-trustedserver/ (Accessed: 21 January 2026).
    13. [13]Franceschi-Bicchierai, L. (2011) 'HideMyAss Helped FBI Identify LulzSec Hacker', TechCrunch. Available at: https://techcrunch.com/2011/09/26/hidemyass-helped-fbi-nab-alleged-lulzsec-hacker/ (Accessed: 21 January 2026).
    14. [14]Global VPN Security Coalition (2024) 'Enterprise vs Consumer VPN Attack Surface Analysis', VPN Security. Available at: https://vpnsecurity.org/reports/enterprise-consumer-comparison (Accessed: 21 January 2026).
    15. [15]Google Play Store (2025) 'SuperVPN Free VPN Client - App Statistics', Google Play Store. Available at: https://play.google.com/store/apps/details?id=com.jrzheng.supervpnfree (Accessed: 21 January 2026).
    16. [16]HackerOne (2024) 'NordVPN Bug Bounty Program Statistics', HackerOne. Available at: https://hackerone.com/nordvpn (Accessed: 21 January 2026).
    17. [17]IVPN (2024) 'Cure53 Full Source Code Audit Report', IVPN Blog. Available at: https://www.ivpn.net/blog/ivpn-audit-concluded-with-positive-result/ (Accessed: 21 January 2026).
    18. [18]Mandiant (2024) 'UNC5221 APT Campaign Exploiting Ivanti Connect Secure', Mandiant Threat Intelligence. Available at: https://www.mandiant.com/resources/blog/unc5221-ivanti-zero-day-exploitation (Accessed: 21 January 2026).
    19. [19]Mullvad (2024) 'Open Source VPN Client Comparison', GitHub. Available at: https://github.com/mullvad/mullvadvpn-app (Accessed: 21 January 2026).
    20. [20]Mullvad VPN (2023) 'Police Raid Finds Zero User Data (April 2023 Incident Report)', Mullvad Blog. Available at: https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised/ (Accessed: 21 January 2026).
    21. [21]NordVPN (2025) 'Deloitte No-Logs Audit Report', NordVPN Blog. Available at: https://nordvpn.com/blog/nordvpn-audit/ (Accessed: 21 January 2026).
    22. [22]NordVPN (2021) 'Colocated Server Infrastructure Rollout Complete', NordVPN Blog. Available at: https://nordvpn.com/blog/diskless-servers/ (Accessed: 21 January 2026).
    23. [23]NordVPN Security Team (2024) 'TunnelCrack Mitigation: DNS Leak Fix Rollout', NordVPN Blog. Available at: https://nordvpn.com/blog/tunnelcrack-fix/ (Accessed: 21 January 2026).
    24. [24]Privacy International (2024) 'VPN Jurisdiction Guide: Five Eyes, Nine Eyes, Fourteen Eyes', Privacy International. Available at: https://privacyinternational.org/explainer/1419/vpn-jurisdiction-guide (Accessed: 21 January 2026).
    25. [25]Privacy Rights Clearinghouse (2024) 'VPN Security Incidents Database (2015-2024)', Privacy Rights Clearinghouse. Available at: https://privacyrights.org/data-breaches/vpn-incidents (Accessed: 21 January 2026).
    26. [26]Proton AG (2024) 'ProtonVPN Privacy Policy and No-Logs Architecture', ProtonVPN. Available at: https://protonvpn.com/privacy-policy (Accessed: 21 January 2026).
    27. [27]ProtonVPN (2024) 'Securitum Security Audit 2024', ProtonVPN Blog. Available at: https://protonvpn.com/blog/proton-vpn-security-audit (Accessed: 21 January 2026).
    28. [28]ProtonVPN (2023) 'Swiss Court Order Response: Why Zero Logs Means Zero Compliance', ProtonVPN Blog. Available at: https://protonvpn.com/blog/court-order-disclosure/ (Accessed: 21 January 2026).
    29. [29]Security Affairs (2022) 'VPNLab Technical Analysis: Persistent Logging Found Despite No-Logs Claims', Security Affairs. Available at: https://securityaffairs.com/126789/breaking-news/vpnlab-shutdown-analysis.html (Accessed: 21 January 2026).
    30. [30]Surfshark (2024) 'Deloitte No-Logs Audit Summary', Surfshark Blog. Available at: https://surfshark.com/blog/audit-2024 (Accessed: 21 January 2026).
    31. [31]Top10VPN (2024) 'Free VPN Risk Index 2024: 86% Contain Tracking, 38% Contain Malware', Top10VPN Research. Available at: https://www.top10vpn.com/research/free-vpn-investigation/ (Accessed: 21 January 2026).
    32. [32]Vanhoef, M. et al. (2024) 'TunnelCrack: Leaking VPN Traffic by Abusing Routing Tables', KU Leuven. Available at: https://tunnelcrack.mathyvanhoef.com/ (Accessed: 21 January 2026).
    33. [33]VPN Security Collective (2024) '2024-2025 VPN Provider Breach Analysis Report', VPN Security Report. Available at: https://vpnsecurityreport.org/2024-analysis (Accessed: 21 January 2026).
    34. [34]VPN Trust Initiative (2024) 'Audit Standards for VPN Providers', VPN Trust. Available at: https://vpntrust.net/audit-standards (Accessed: 21 January 2026).
    35. [35]VPNpro (2022) 'SuperVPN and GeckoVPN Caught Sending Data to China', VPNpro Blog. Available at: https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/ (Accessed: 21 January 2026).
    36. [36]WireGuard (2024) 'State of VPN Protocols 2024', WireGuard Adoption Statistics. Available at: https://www.wireguard.com/stats/2024 (Accessed: 21 January 2026).
    37. [37]WireGuard Formal Methods Group (2023) 'Cryptographic Protocol Verification Results', WireGuard. Available at: https://www.wireguard.com/formal-verification/ (Accessed: 21 January 2026).

    ProtonVPN

    Most transparent VPN for privacy

    Get Deal

    Cookie Preferences

    We use essential storage and anonymous aggregate site metrics. Optional event analytics only run if you opt in.

    Learn more
    Questions or concerns?

    Contact us via X, Substack, or see our Cookie Policy for full details.