The VPN industry's dirty secrets: ownership and affiliates

The consumer VPN industry is more concentrated, more conflicted, and less transparent than its marketing suggests. Most users do not know who owns the VPN they pay for. Most reviews are commercial relationships dressed as journalism. Most "no-logs" claims have no third-party verification.

This piece names names. It does not pretend that Fexyn is above the fray; it is honest about where we sit. The bias is disclosed; the documented facts are independently verifiable.

Ownership consolidation

Two corporate entities own a substantial portion of the consumer VPN market.

Kape Technologies (London-listed, headquartered in UK). Owns ExpressVPN, CyberGhost, Private Internet Access (PIA), ZenMate. Acquired ExpressVPN in 2021 for $936 million.

Kape's history matters. The company was previously called Crossrider, a tool used to develop browser extensions that included adware and malware-adjacent products. Crossrider rebranded to Kape Technologies in 2018. The rebrand happened concurrently with the acquisition of CyberGhost; the implication that Kape is "now a privacy company" rather than "an adware company in privacy clothing" is the marketing position.

The Kape ownership matters because:

The brands (ExpressVPN, CyberGhost, PIA) market as independent privacy-focused operations
The actual corporate parent has a history that contradicts the marketing positioning
The same company also owns Webselenese, which operates major review sites including vpnMentor and Wizcase
The same review sites that Kape owns rank Kape's VPNs highly. The conflict is not disclosed prominently.

Users buying ExpressVPN, CyberGhost, or PIA are buying into the Kape group regardless of which brand they pay. The corporate-level data practices apply across brands.

Nord Security (and the Tesonet relationship). NordVPN's parent. The corporate structure has historically involved Tesonet (an IT services company in Lithuania) and the Nord brands. NordVPN markets as Panama-based; the corporate parent is Lithuania-based; the operational decisions sit with Nord Security in Vilnius.

Nord Security in 2024 announced merger with Surfshark's parent (also Tesonet-related). The two brands continue to operate separately but are corporately joined.

The implication: NordVPN and Surfshark are not independent competitors. They are sister brands of the same corporate parent. Reviews comparing them are comparing two products from the same company.

The affiliate-marketing industrial complex

Consumer VPN affiliate programs pay 30-100% of the first-year subscription as commission to referrers. A user buying a $40/year NordVPN subscription generates $30-40 commission to whoever's affiliate link drove the sale. At 6-12 month lock-in periods, the lifetime commission per customer is substantial.

This produces a specific market structure:

"Best VPN" listicles are paid placement. The top-ranked VPN on most listicles is the one paying the highest affiliate commission for that listicle's traffic. Quality is correlated with payment, not the other way around. The same five or six brands appear in nearly every "best VPN" list because they have the highest affiliate budgets.

Review sites with editorial integrity are rare. Independent VPN reviews exist (Privacy Guides, Wirecutter sometimes, security-focused publications occasionally). The sites that dominate Google search results for "best VPN" are predominantly affiliate-driven.

YouTube reviewers are commercial. Most VPN-focused YouTube channels are paid-promotion-funded. The disclosed sponsorships are real; the unstated bias is the reviewer's revenue depending on the relationship continuing.

The same listicles get re-published. If you read one "Best VPN 2026" article and another, they recommend the same products in similar ranks. The narrative is shared because the financial incentives are shared.

The fix for the user is direct testing. The 30-day refund windows that most reputable VPNs offer are the actual evaluation mechanism. Marketing copy is not.

The "no-logs" claim audit gap

Most VPN providers claim "no logs." Few have had this verified.

Audits that have happened:

ProtonVPN. Multiple Cure53 audits including no-logs scope. Public reports.

Mullvad. Cure53 and Assured AB audits. Public reports. Among the most thorough in the industry.

ExpressVPN. PricewaterhouseCoopers and KPMG audits over multiple years. Reports available with restrictions.

NordVPN. PricewaterhouseCoopers and Deloitte audits over multiple years. Reports summarised publicly.

Surfshark. Deloitte audit (2023). Public summary.

TunnelBear. Cure53 (2017, 2020). Public.

IVPN. Cure53 audits. Public.

VyprVPN. Leviathan Security (2018). Public.

CyberGhost, PIA. Various audits with mixed transparency.

Providers without recent published no-logs audits: Most smaller and newer providers. Fexyn is in this group. We have not yet completed a third-party audit. Planned for 2026. Until then, the no-logs claim is operational and stated but not externally verified.

For users who treat audit verification as load-bearing for trust, this matters. ProtonVPN and Mullvad have the strongest current audited claims; users who specifically need this should consider those providers over us.

"No-logs" implementation matters

Beyond audits, the technical implementation of no-logs varies:

Operationally no-logs. The systems do not retain logs of browsing or DNS queries because the configuration does not generate them. ProtonVPN and Mullvad operate this way; Fexyn operates this way.

Marketed no-logs but with operational metadata. The provider says "no-logs" but the systems retain connection metadata that could identify a specific user's session if subpoenaed. Less secure for the no-logs threat model; the marketing language is technically defensible but the operational reality is weaker.

Logs that go through a deletion pipeline. Providers that retain logs briefly for operational purposes, then delete them. The window during which logs exist is the period of subpoena exposure. Some providers in this category mark themselves as "no-logs" if the deletion timer is short enough.

Audits help distinguish these. Without an audit, you have only the provider's word.

Server infrastructure secrets

VPN providers commonly market server counts: "5,000+ servers in 60 countries!" The reality is more nuanced.

Many "servers" are virtual machines. A provider with "5,000 servers" may have 500 physical machines each running 10 virtual servers. Each VM gets its own IP and counts as a "server" for marketing purposes; the underlying hardware is shared.

Some "servers in country X" are physically in country Y. A provider with "servers in Iceland" may have a server physically in Frankfurt configured to present an Icelandic IP via routing. The user's connection still terminates in Frankfurt; only the apparent IP is Icelandic. Provider may disclose this in fine print or may not.

Capacity per server varies enormously. A 1U pizza-box bare-metal server with 10Gbps networking can serve thousands of concurrent users. A virtual server with 1Gbps networking serves dozens. The "5,000 servers" marketing does not differentiate.

Providers with smaller, transparent infrastructure are usually more honest. Mullvad publishes their bare-metal-vs-rented breakdown. IVPN publishes detailed server lists. Fexyn currently operates four physical servers (Frankfurt, Helsinki, Cyprus, Ashburn) and we say so plainly.

The free-VPN problem

Free consumer VPNs almost universally have data-collection issues. The pattern:

Hola VPN (2015 incident). Selling user bandwidth as residential proxy nodes for botnets. Documented and publicly known.

Onavo Protect (Facebook, 2019). Free VPN that collected user data for Facebook's competitive intelligence. Pulled from app stores after disclosure.

SuperVPN (multiple incidents). Data leak exposing 360 million records. Privacy-policy-vs-practice mismatch.

Various smaller free VPNs. Frequent reports of data sales, malware, residential-proxy use of user bandwidth, ad injection.

The exceptions:

ProtonVPN free tier. Operationally legitimate; cross-subsidised by paid users.

Cloudflare WARP free tier. Bundled with Cloudflare's CDN business; not a privacy-focused VPN but technically legitimate.

Windscribe free tier. Limited bandwidth; legitimate operations.

Anti-censorship tools (Lantern, Psiphon). Different category; non-profit anti-censorship rather than commercial VPN.

For the rest, the industry rule applies: if you are not paying, you are the product. Free consumer VPN apps that monetise via data collection are essentially the entire economic model of the free-VPN space.

Where Fexyn sits honestly

We are a small company. We operate four physical servers. We are based in Wyoming, US (Five Eyes). We have not yet completed an independent no-logs audit.

What we offer:

VLESS Reality with the Vision flow (xtls-rprx-vision): protocol shipped by us, Astrill, and a small number of others. Most major brands do not. This is the technical differentiator.
WFP-based kernel kill switch — Fexyn, Mullvad, ProtonVPN, IVPN are in this group; most major brands have application-level kill switches with leak windows.
Crypto-only billing as an option — useful for users in markets where card payment is broken or where minimum-trail accounts matter.
Tier-based pricing — Tier 1 ($9.99/mo) to Tier 4 ($2.99/mo) by region. Honest about regional purchasing power.
5-language UI — EN, RU, TR, AR, pt-BR. Spanish flagged for the next sprint.
Honest country pages with legal context — including US, EU, Russia, China, Iran, Pakistan, UAE.

What we do not offer:

Independent no-logs audit yet. Planned for 2026.
Server-counts marketing comparable to NordVPN's "5,000 servers." We have four. We say so.
Proprietary fast protocol with marketing claims. Bolt is just WireGuard; Stealth is just VLESS Reality with the Vision flow. Standard protocols, plain naming.
Affiliate program designed to game listicle rankings. We are not in the major affiliate listicles because we do not pay the commissions to be there. This is a positioning choice; the cost is slower brand growth.

For users who prefer a smaller, more technically transparent provider over the affiliate-listicle-dominant brands: Fexyn is appropriate. For users who require an audited no-logs claim today: ProtonVPN or Mullvad. We say so openly.

What to actually look for in a VPN

The framework that survives the marketing layer:

Audited no-logs. Or at least a credible operational claim with publicly explained architecture.
Open-source clients. Easier to verify what the client actually does.
Kernel-level kill switch. Less leak risk than application-level.
Modern protocols. WireGuard at minimum; Reality for censorship-resistance use cases.
Reasonable jurisdiction. Not perfect. Less important than no-logs verification.
Crypto payment option. Useful for trail-minimisation.
Honest infrastructure disclosure. Bare metal vs rented; physical-vs-virtual server counts.
Pricing transparency. Including auto-renewal practices and refund policies.

Apply this checklist to any VPN — including Fexyn. We score well on most, weakly on audit, and we say so.

Frequently asked

Who actually owns my VPN?

Look up the company-of-record on the privacy policy. Look at the parent company. The VPN you bought from "ExpressVPN" is now Kape Technologies. The "NordVPN" you bought from is part of Nord Security / Tesonet.

Are reviews of VPNs trustworthy?

Almost universally no, with rare exceptions. Privacy Guides, EFF guidance, security-focused publications occasionally. The sites that dominate "best VPN" SERP are commercial relationships, not journalism.

Why does every "best VPN" list include the same brands?

Affiliate commissions. The brands paying highest commissions appear in the most listicles. The brands not paying do not appear, even if they are technically better products.

Is Mullvad really better than NordVPN?

Different products. Mullvad: stronger no-logs auditing, fully open-source clients, Sweden jurisdiction, no marketing affiliate program, no dynamic pricing tricks. NordVPN: larger server fleet, more streaming server availability, more aggressive consumer marketing, lower price on Black Friday. Use case determines which is better.

Should I trust Fexyn given no audit?

That is a fair question. Audited providers (ProtonVPN, Mullvad) have stronger external verification. We are working toward that. Until then, our offer is the honest disclosure of what we do, an open-source helper service codebase, and a small enough operation that the trust model is "the company itself" rather than "an audited claim."

Try Fexyn free for 7 days — small operation, transparent pricing, honest about what we do not yet have. How to choose a VPN covers the buying framework; Five Eyes jurisdiction covers the jurisdiction-vs-logs question specifically.

Last reviewed 2026-05-09. Industry corporate structure evolves; specifics may have changed since publication.