Why most VPN rankings can't be trusted
On sites like PCMag, TechRadar or dozens of other "review portals", the same names keep appearing at the top: NordVPN, Surfshark, ExpressVPN, CyberGhost. The reason is rarely quality — it's money. These providers pay affiliate commissions of up to 40% on every referral. Someone buying NordVPN through a comparison site earns that site up to $30 in commission.
Mullvad, IVPN and AirVPN run no active affiliate programme. They rarely appear in YouTube sponsorships or at the top of comparison sites — not because they're worse, but because they pay less.
No affiliate links, no commissions. All information on pricing, audits, data disclosures and ownership is backed by publicly available sources. Current as of March 2026.
The conglomerate problem: who owns which VPNs?
The VPN market looks more diverse than it actually is. Behind seemingly independent providers often sit the same conglomerates — with all the consequences for trust and privacy.
A VPN works exclusively through trust. You route all your unencrypted internet traffic through a company's servers. That company can — technically speaking — see everything your browser, apps and operating system send to the internet. You're trusting it not to store, sell or hand over any of that data to authorities.
Audits can verify whether something is being stored today. They cannot guarantee what will happen tomorrow. What an audit can never check: whether the company's owner has a financial interest in monetising your data.
Kape Technologies originally made its money building browser extensions that buried users in advertising — without their knowledge. The business model was: observe and exploit user behaviour. In 2018 the company was rebranded. The leadership remains the same. They now own four of the most widely used VPN services in the world — and the portals where you go to find reviews of those VPNs. This is not a technical problem. It is a structural trust problem. And no audit in the world can certify that away.
NordVPN and Surfshark merged in February 2022 under the joint holding company "Cyberspace B.V." based in the Netherlands. Both brands operate technically independently, but belong to the same conglomerate. Source: NordVPN Blog
Independent providers with no parent conglomerate as of now: Mullvad, ProtonVPN, IVPN, Windscribe and AirVPN.
Comparison table: all 9 providers
All information researched and sourced, as of March 2026. Prices refer to the monthly cost on an annual plan unless stated otherwise.
| Provider | HQ / Jurisdiction | Eyes membership | Owner | Price/month | No-log audit | RAM servers | Open source | Anon. payment | Data disclosure |
|---|---|---|---|---|---|---|---|---|---|
| Mullvad | Sweden 🇸🇪 | 14-Eyes | Independent | €5 | ✓ Multiple | ✓ Yes | ✓ Yes | ✓ Cash, Monero | None (2023 raid: nothing found) |
| ProtonVPN | Switzerland 🇨🇭 | Outside | Proton AG (non-profit) | from €3.99/mo (annual) | ✓ Annual | ✓ Yes | ✓ Yes | Bitcoin (with Proton account) | IP logging on court order (2021, ProtonMail case) |
| IVPN | Gibraltar 🇬🇮 | Outside | Private (openly disclosed) | from $5/mo (annual) | ✓ Annual (Cure53) | Partial | ✓ Yes | ✓ Bitcoin, Monero, cash | None known |
| Windscribe | Canada 🇨🇦 | 5-Eyes | Private (independent) | from $5.75/mo (annual) | Limited | ✓ Since 2021 | ✓ Yes | Bitcoin | 2021 server incident (key exposed, resolved) |
| AirVPN | Italy 🇮🇹 | 14-Eyes | Private, activist-run | from €4.08/mo (annual) | Limited | Not explicit | ✓ Yes (Eddie client) | ✓ Bitcoin, Monero, 20+ cryptocurrencies | None known |
| NordVPN | Panama 🇵🇦 (Nord Security: NL) | Outside | Nord Security (merged with Surfshark) | from €3.09/mo (2-year) | ✓ Deloitte, annual | ✓ Yes (7,800+ servers) | No | Credit card / limited | Server breach 2018 · 2024 warrant: account data only |
| Surfshark | Netherlands 🇳🇱 | 9-Eyes | Nord Security (merged 2022) | from €1.99/mo (2-year) | ✓ Cure53 (2022, 2023) | ✓ Yes | No | Limited | TunnelCrack vulnerability 2023 (patched) |
| ExpressVPN | British Virgin Islands 🇻🇬 | Outside | Kape Technologies | from €3.49/mo (annual) | ✓ 18 audits | ✓ TrustedServer | Partial (Lightway) | Credit card / limited | Turkey server raid 2017 (no data found) · ex-employee UAESG case 2021 |
| CyberGhost | Romania 🇷🇴 | Outside | Kape Technologies | from €2.19/mo (2-year) | Deloitte 2022 (outdated) | ✓ Yes | No | Limited | Kape conglomerate structure (formerly Crossrider/adware) |
Sources: Mullvad Logging Policy · NordVPN Transparency Report · Kape Technologies Wikipedia · Nord/Surfshark merger · Kape VPN ownership
Providers in detail
Mullvad is the most private VPN on the market. No account with an email address — just a randomly generated 16-digit account number. No annual discount tricks, no upselling. One price only: €5 per month, unchanged since 2009. Payment by cash (in an envelope by post), Monero, Bitcoin or credit card.
ProtonVPN comes from the same CERN scientists as ProtonMail — one of Europe's strongest privacy brands. Swiss law, no US influence, annual audits by Securitum. Free tier available with no data limit (with restrictions).
Free tier available
IVPN is less well known than Mullvad but follows the same philosophy: no email account required, anonymous payment, annual security audits by Cure53, transparent ownership. Standout feature: multi-hop connections through multiple servers for additional anonymity (on Pro plan).
Windscribe is an independent Canadian provider with a generous free plan (10 GB/month), unlimited simultaneous connections and unusually transparent communication. The biggest issue: Canada is a 5-Eyes member. In 2021 a server incident occurred, but it was openly disclosed and fully resolved.
Free tier (10 GB/month)
AirVPN has been run since 2010 by activists and hacktivists who regard net neutrality and freedom from censorship as their core mission. The open-source client "Eddie" offers extreme configurability — for advanced users. No streaming optimisation, no beginner-friendly interface, but no known data disclosures and 20+ cryptocurrencies as payment methods.
NordVPN is technically solid — regular Deloitte audits, RAM-only servers, Panama jurisdiction. The issues: in 2018 a Finnish server was compromised (disclosed only in 2019). In 2024 NordVPN handed over account data under a Panamanian prosecutor's order. Since the merger with Surfshark in 2022 both are under Nord Security. No open-source client.
October 2024: Panamanian prosecutor issued a binding order. NordVPN handed over account data only (email, payment confirmation) — no traffic logs, as none exist. (Source: NordVPN Transparency Report)
Surfshark is the cheapest premium VPN on the market and offers unlimited simultaneous connections. Part of Nord Security since February 2022 — the same conglomerate as NordVPN. Based in the Netherlands (9-Eyes member). In 2023 the TunnelCrack vulnerability was discovered and quickly patched.
ExpressVPN was long the dominant VPN — technically strong, with its own "TrustedServer" RAM system and 18 independent audits. Since 2021 it has belonged for $936 million to Kape Technologies (formerly Crossrider). The core problem: you're trusting a VPN with your entire internet traffic. Kape originally made its money analysing user behaviour without their knowledge and monetising it with advertising. Today they own four VPN services and the "independent" review portals that recommend them. No audit can resolve the structural trust problem that creates.
2017: Turkish authorities seized servers — no user data found (positive).
2021: A former ExpressVPN executive was identified as a UAESG agent who had carried out surveillance activities for the United Arab Emirates — no direct link to VPN infrastructure, but a warning signal about corporate culture. (Source: The Register)
CyberGhost is the cheapest Kape VPN, aimed at beginners, and with 11,600+ servers has one of the largest networks of any provider. It works technically. But: using CyberGhost means trusting Kape Technologies with your entire internet traffic — the same company that under the name Crossrider made money from adware and browser manipulation, that owns the "independent" review portals VPNMentor and Wizcase, and that now holds four VPN brands under one roof. Also: the last no-log audit by Deloitte dates from 2022 — the industry standard treats 24 months as the expiry date for audit claims.
Outdated audit: Last no-log audit by Deloitte from 2022 — the industry treats 24 months as the expiry date for audit claims.
2023: Security researchers discovered a vulnerability in the CyberGhost client but had considerable difficulty getting a response from the Kape security team. Eventually patched quietly. (Source: Windscribe Blog on Kape)
Editorial verdict
For maximum anonymity: Mullvad. No other provider combines anonymous account creation, cash payment, RAM-only servers, repeatedly verified audits and a real-world stress test by a police raid (2023, no results found).
For most users: ProtonVPN. Swiss jurisdiction, free tier with no data limit, open source, annual audits, trusted brand with a long track record. If you need more convenience and streaming than Mullvad offers, this is the right choice.
For advanced users focused on anonymity: IVPN. Similar philosophy to Mullvad, with a multi-hop option for additional security layers. Slightly more expensive, smaller network.
For beginners on a tight budget: Windscribe (with awareness of the 5-Eyes issue) or conditionally NordVPN (known incident history, but transparent handling of it).
Not recommended for privacy needs: ExpressVPN and CyberGhost due to Kape Technologies ownership and the Crossrider history. Both work technically — but anyone entrusting their internet connection to a VPN should know who owns the company.
A VPN hides your IP address and encrypts traffic between you and the VPN server. It does not make you anonymous to websites that identify you via cookies, browser fingerprinting or logged-in accounts. It does not protect against malware. It does not make illegal activity legal. It is a tool — not a cure-all.