VPN Infrastructure Exposed Who Really Runs Your VPN
pWho really runs your VPN and what that means for privacyppPublished April 7 2026 Updated April 9 2026ppAll data sourced from public BGP records Netify server databases
Team Cymru ASN lookups and national commercial registries This is a
living document that will be updated as research continuesppApril 8 2026 Edited to better clarify that ASN and PeeringDB data identifies which hosting companies operate network blocks and which facilities those companies use but cannot trace individual IPs to specific buildingsppApril 9 2026 Updated Hotspot Shield parent company from AuraPango to Point Wild reflecting the merger of Pango Group with Total Security and rebrand Expanded ownership consolidation section to include additional VPN brands owned by Ziff Davis McAfee and Point Wild Updated data sharing agreementsppVPN providers market themselves as independent services in
diverse jurisdictions This investigation asks a structural question
does the global VPN industrys physical infrastructure actually
reflect that diversity or does it concentrate in a small number of
hosting companies buildings and jurisdictions We traced the path
from VPN provider to hosting company to physical datacenter building
to building owner The findingsppThis analysis uses four layers of public datappCrossprovider overlap was measured by comparing 24 blocks If
two VPN providers have IPs within the same 24 block those IPs
are originated by the same ASN meaning they are on the same
network operators infrastructure This does not guarantee they
share the same physical server rack or even building as a 24
256 addresses can be subnetted across multiple locations by the
same operator Corporate ownership was verified through public
filings Wikipedia and commercial registriesppPlus 39 additional providers analyzed 8463 blocks each
PotatoVPN XVPN UrbanVPN ZoogVPN WLVPN VPN Unlimited
ThunderVPN HMA TorGuard TurboVPN Hola VPN AirVPN SlickVPN
GhostPath Browsec Speedify PrivateVPN TikVPN VyprVPN
AzireVPN FastestVPN VPN Lumos VPNSecure Anonine BoxPN
EasyHideVPN FrootVPN CryptoStorm OVPN OctoVPN Getflix
PrivadoVPN SSHOcean SecureVPN PureVPN AvastVPNppTotal 6429 unique 24 blocks across 50 providers 1723 of
these 27 are used by two or more providersppSource
Netify VPN server database April 2026
Parent company ownership from
Wikipedia Kape
Wikipedia NordVPN
Wikipedia IPVanish
and public filingsppBefore examining hosting infrastructure the provider list itself
reveals consolidation Of the 11 largest providersppFive parent companies control 8 of the 11 major VPN brands
analyzed plus numerous additional brands not in our dataset
Only Proton VPN Mullvad and Windscribe operate under
independent ownership Four of the five parent companies also
own publications that review VPN productsppSource
Toms Guide Who really owns your VPN
Wikipedia Tesonet
TechRadar KapeWebselenese acquisition
Wikipedia Ziff Davis
PR Newswire Pango GroupPoint Wild merger
Windscribe VPN relationship mapppAll 6429 unique 24 blocks resolved via Team Cymru ASN DNS
491 unique ASNs identified across 50 VPN providersppJurisdictional concentration excluding VPNowned
infrastructureppSource
Team Cymru IPtoASN DNS
Netify VPN database
ARIN
RIPE WHOIS
Analysis date April 67 2026ppAcross all 50 providers 1723 24 blocks 27 are shared by two
or more VPN providers 557 by 3 226 by 4 75 by 5 29 by 6
10 by 7 and 2 blocks by 8 providers simultaneously The top
pairwise overlaps from the 11 major providersppThe NordVPNSurfshark overlap 106 blocks and CyberGhostPIA
overlap 101 blocks are expected these are sister companies under
the same parent Nord Security and Kape Technologies respectively
The crossownership overlaps NordVPNProton 73 NordVPNWindscribe
70 SurfsharkProton 54 indicate shared thirdparty hosting
providersppThe mostshared blocks across all 50 providersppVPN providers market themselves as independent services operating
in privacyfriendly jurisdictions The infrastructure data tells a
different story Across 50 providers and 6429 network blocksppThe result is that providers who market different jurisdictions
different privacy policies and different corporate structures
converge on the same small group of hosting companies Proton VPN
marketed as Swiss privacy shares 24 blocks with NordVPN Panama
Surfshark Panama Mullvad Sweden Windscribe Canada and
Hotspot Shield USA all on Datacamp and M247 infrastructure in
the UK A user who switches VPN providers for jurisdictional reasons
may find their traffic exiting through the same datacenter facility
regardless of which provider they choose and as documented below
that rack may not be in the country the VPN claimsppThis analysis documents infrastructure concentration a small
number of hosting companies in a small number of datacenter
buildings in a small number of jurisdictions carry traffic for
the majority of commercial VPN providers This is a structural
observation about how the industry is built not an allegation
that any provider or hosting company has been compromisedppSeparately Snowdenera documents 2013 revealed the NSAs
Bullrun program and GCHQs Edgehill program both aimed at defeating
VPN encryption By 2010 GCHQ was unscrambling VPN traffic for 30
targets with a goal of 300 The disclosed methods included industry
relationships and infrastructure compromiseppThis investigation does not link the documented infrastructure
concentration to those programs It observes that the concentration
creates the structural conditions where a small number of access
points could cover a large fraction of global VPN traffic Whether
that concentration exists due to market economics which adequately
explains it or for other reasons the structural reality is the
sameppSource BullrunEdgehill
Wikipedia
ProPublica
M247 VPN hosting
m247globalcom
Datacamp bare metal
datapacketcomppThe hosting providers M247 Datacamp dont own the datacenter
buildings They rent rack space from datacenter operators PeeringDB
lists the facilities where M247 65 facilities and DatacampCDN77
91 facilities have a presence We cannot map specific VPN IPs to
specific buildings but we can identify who owns the buildings these
hosting companies operate fromppBuilding ownership was determined from PeeringDB facility names
eg Equinix DC1DC15 or Digital Realty Frankfurt FRA127 Two
US publicly traded real estate investment trusts Equinix NYSE
EQIX and Digital Realty NYSE DLR own 487 of the datacenter
facilities used by the VPN industrys two largest hosting providers
Both are US companies As facility operators they control physical
access to the buildings though colocation customers typically use
locked cages or racks with their own access controlspp51 of 156 VPNhosting facilities 327 Top shareholders
Vanguard Group BlackRock State Street 938 institutional
ownership Equinix maintains a
Government
Advisory Board whose members includeppEquinix acquired Terremark Federal Group bringing in 33 employees
with government security clearances Equinix operates
a
Federal
Government Solutions division with procurement contracts via
CarahsoftppSource
Equinix blog Gov Advisory Board
Equinix board of directors
Yahoo Finance EQIX holderspp25 of 156 VPNhosting facilities 160 Top shareholders
Vanguard Group 155 BlackRock Cohen Steers Norges Bank
Norwegian sovereign wealth fund State Street Board member
Kevin J Kennedy former Avaya CEO was appointed by
President Obama to the Presidents National Security
Telecommunications Advisory Committee in 2010ppSource
Digital Realty board
Yahoo Finance DLR holders
Wikipedia Kevin J Kennedy
NSTAC appointment confirmedppVanguard Group BlackRock and State Street are top shareholders
of both Equinix and Digital Realty These are the three largest
passive index fund managers in the world and hold major positions in
most publicly traded companies The common ownership is a structural
feature of modern capital markets not specific to the datacenter
industryppSource
PeeringDB M247 net906
65 facilities queried via API netfacnetid906
PeeringDB CDN77Datacamp net10839
91 facilities queried via API netfacnetid10839
Building ownership attributed from facility names in PeeringDB
records eg facilities named Equinix code attributed to
Equinix IncppVPN providers advertise servers in dozens of countries But the IP
addresss geolocation and the servers physical location are often
different Comparing IP geolocation data ipapicom against ASN
registration country Team Cymru for an evenly distributed sample
of 200 blocks from the 6429 totalppExamples from the datappWhen a user connects to VPN server in Nepal the traffic may
physically exit from a Datacamp server in a US or UK datacenter The
geolocation databases report Nepal because the IP range has been
geolocated there but the hardware the network and the legal
jurisdiction are in the hosting providers actual country of
operation An
XDA
investigation independently confirmed this practice across
multiple VPN providersppThis means the geographic diversity that VPN providers advertise
servers in 100 countries may overstate the actual physical
footprint A significant fraction of global VPN infrastructure
physically resides in a smaller number of countries where the
hosting providers operate datacentersppSource
ipapicom batch API
Team Cymru ASN DNS
200block sample from 6429 unique blocks
XDA investigation
independently confirmed virtual location practices
Analysis date April 7 2026ppASN registration country does not determine where servers
physically are M247 is registered in Romania but operates in 25
countries Datacamp is registered in the UK but has facilities in
40 countries PeeringDB facility data shows the actual datacenter
locations where M247 and Datacamp the two largest thirdparty VPN
hosts have physical equipmentppOf the 156 physical datacenter facilities used by M247 and
Datacamp 61 391 are in Five Eyes countries The US alone
accounts for 40 facilities 256 Every facility country has at
least one documented intelligence sharing agreement MLAT bilateral
alliance membership or EU framework For percountry surveillance
law details see the
CodaMail
Privacy Law DirectoryppSource PeeringDB facility data for
M247 and
CDN77Datacamp
data sharing frameworks from CodaMail Privacy Law Directory
Analysis date April 7 2026ppMapping the physical facilities of the five largest thirdparty
VPN hosting providers M247 DatacampCDN77 Clouvider DigitalOcean
Vultr via PeeringDB reveals 101 cities worldwide where VPN hosting
infrastructure exists Three cities host all five providers
simultaneouslyppIn Dallas 9 of 10 VPN hosting facilities are Equinix buildings
In Sydney all 7 are Equinix In Singapore all 5 are Equinix In
London 7 of 8 are Telehouse KDDI Japan The hosting companies
serving dozens of VPN brands operate from a small number of
buildings in each cityppSource PeeringDB facility API for
M247
Datacamp
Clouvider
DigitalOcean
Vultr
Building ownership from facility namesppThe sections above document infrastructure concentration The
sections below examine three ownership chains that stood out
during the investigationppKape Technologies owns three of the 11 major providers analyzed
ExpressVPN CyberGhost and Private Internet Access combined 663
24 blocks The ownership chainppSource
Wikipedia Kape Technologies
Wikipedia Teddy Sagi
CyberInsider KapeCrossrider
CyberInsider Kape VPN acquisitions
TorrentFreak Kape acquires review sitesppWLVPN is a whitelabel VPN service that provides infrastructure
for other companies to resell under their own brand The ownership
chainppWLVPNs infrastructure powers VPN services for 100 businesses
including StrongVPN OverPlay VPN Encryptme and VPNhub
Pornhubs VPN Ziff Davis also owns IGN PCMag Mashable and
other tech media properties that review VPN productsppSource
Wikipedia IPVanish
VPNpro 105 VPNs 24 companies
Top10VPN NetProtect acquisitionsppFive free VPN apps in our dataset PotatoVPN XVPN ThunderVPN
TurboVPN UrbanVPN share infrastructure heavily concentrated on
OVH and Scaleway French hosting The ownership chain for the
largest of these traces to Chinese stateaffiliated entitiesppThese apps have been downloaded over 86 million times across
iOS and Android A
Top10VPN
investigation documented the secretive Chinese ownership
structure A separate
Comparitech
investigation traced China and Russialinked VPNs on major app
storesppSource
Top10VPN Chinese ownership investigation
Security Affairs Chinese VPN companies
Malwarebytes Chinese militarylinked VPNsppAt the infrastructure level most commercial VPN services are not
independent of each other Brand competition happens at the marketing
layer different names different privacy policies different
jurisdictional claims At the network layer traffic from dozens of
competing providers runs on the same hosting companies operating
from the same datacenter facilities in the same cities The data does not
show that this infrastructure is compromised It shows that the
diversity VPN users believe they are purchasing largely does not
exist below the application layerppThis document will be updated as research continues The
X4BNet
VPN IP database tracks 10793 CIDR ranges across VPN providers
autoupdated via GitHub Actions and may be incorporated in future
analysisp
Team Cymru ASN lookups and national commercial registries This is a
living document that will be updated as research continuesppApril 8 2026 Edited to better clarify that ASN and PeeringDB data identifies which hosting companies operate network blocks and which facilities those companies use but cannot trace individual IPs to specific buildingsppApril 9 2026 Updated Hotspot Shield parent company from AuraPango to Point Wild reflecting the merger of Pango Group with Total Security and rebrand Expanded ownership consolidation section to include additional VPN brands owned by Ziff Davis McAfee and Point Wild Updated data sharing agreementsppVPN providers market themselves as independent services in
diverse jurisdictions This investigation asks a structural question
does the global VPN industrys physical infrastructure actually
reflect that diversity or does it concentrate in a small number of
hosting companies buildings and jurisdictions We traced the path
from VPN provider to hosting company to physical datacenter building
to building owner The findingsppThis analysis uses four layers of public datappCrossprovider overlap was measured by comparing 24 blocks If
two VPN providers have IPs within the same 24 block those IPs
are originated by the same ASN meaning they are on the same
network operators infrastructure This does not guarantee they
share the same physical server rack or even building as a 24
256 addresses can be subnetted across multiple locations by the
same operator Corporate ownership was verified through public
filings Wikipedia and commercial registriesppPlus 39 additional providers analyzed 8463 blocks each
PotatoVPN XVPN UrbanVPN ZoogVPN WLVPN VPN Unlimited
ThunderVPN HMA TorGuard TurboVPN Hola VPN AirVPN SlickVPN
GhostPath Browsec Speedify PrivateVPN TikVPN VyprVPN
AzireVPN FastestVPN VPN Lumos VPNSecure Anonine BoxPN
EasyHideVPN FrootVPN CryptoStorm OVPN OctoVPN Getflix
PrivadoVPN SSHOcean SecureVPN PureVPN AvastVPNppTotal 6429 unique 24 blocks across 50 providers 1723 of
these 27 are used by two or more providersppSource
Netify VPN server database April 2026
Parent company ownership from
Wikipedia Kape
Wikipedia NordVPN
Wikipedia IPVanish
and public filingsppBefore examining hosting infrastructure the provider list itself
reveals consolidation Of the 11 largest providersppFive parent companies control 8 of the 11 major VPN brands
analyzed plus numerous additional brands not in our dataset
Only Proton VPN Mullvad and Windscribe operate under
independent ownership Four of the five parent companies also
own publications that review VPN productsppSource
Toms Guide Who really owns your VPN
Wikipedia Tesonet
TechRadar KapeWebselenese acquisition
Wikipedia Ziff Davis
PR Newswire Pango GroupPoint Wild merger
Windscribe VPN relationship mapppAll 6429 unique 24 blocks resolved via Team Cymru ASN DNS
491 unique ASNs identified across 50 VPN providersppJurisdictional concentration excluding VPNowned
infrastructureppSource
Team Cymru IPtoASN DNS
Netify VPN database
ARIN
RIPE WHOIS
Analysis date April 67 2026ppAcross all 50 providers 1723 24 blocks 27 are shared by two
or more VPN providers 557 by 3 226 by 4 75 by 5 29 by 6
10 by 7 and 2 blocks by 8 providers simultaneously The top
pairwise overlaps from the 11 major providersppThe NordVPNSurfshark overlap 106 blocks and CyberGhostPIA
overlap 101 blocks are expected these are sister companies under
the same parent Nord Security and Kape Technologies respectively
The crossownership overlaps NordVPNProton 73 NordVPNWindscribe
70 SurfsharkProton 54 indicate shared thirdparty hosting
providersppThe mostshared blocks across all 50 providersppVPN providers market themselves as independent services operating
in privacyfriendly jurisdictions The infrastructure data tells a
different story Across 50 providers and 6429 network blocksppThe result is that providers who market different jurisdictions
different privacy policies and different corporate structures
converge on the same small group of hosting companies Proton VPN
marketed as Swiss privacy shares 24 blocks with NordVPN Panama
Surfshark Panama Mullvad Sweden Windscribe Canada and
Hotspot Shield USA all on Datacamp and M247 infrastructure in
the UK A user who switches VPN providers for jurisdictional reasons
may find their traffic exiting through the same datacenter facility
regardless of which provider they choose and as documented below
that rack may not be in the country the VPN claimsppThis analysis documents infrastructure concentration a small
number of hosting companies in a small number of datacenter
buildings in a small number of jurisdictions carry traffic for
the majority of commercial VPN providers This is a structural
observation about how the industry is built not an allegation
that any provider or hosting company has been compromisedppSeparately Snowdenera documents 2013 revealed the NSAs
Bullrun program and GCHQs Edgehill program both aimed at defeating
VPN encryption By 2010 GCHQ was unscrambling VPN traffic for 30
targets with a goal of 300 The disclosed methods included industry
relationships and infrastructure compromiseppThis investigation does not link the documented infrastructure
concentration to those programs It observes that the concentration
creates the structural conditions where a small number of access
points could cover a large fraction of global VPN traffic Whether
that concentration exists due to market economics which adequately
explains it or for other reasons the structural reality is the
sameppSource BullrunEdgehill
Wikipedia
ProPublica
M247 VPN hosting
m247globalcom
Datacamp bare metal
datapacketcomppThe hosting providers M247 Datacamp dont own the datacenter
buildings They rent rack space from datacenter operators PeeringDB
lists the facilities where M247 65 facilities and DatacampCDN77
91 facilities have a presence We cannot map specific VPN IPs to
specific buildings but we can identify who owns the buildings these
hosting companies operate fromppBuilding ownership was determined from PeeringDB facility names
eg Equinix DC1DC15 or Digital Realty Frankfurt FRA127 Two
US publicly traded real estate investment trusts Equinix NYSE
EQIX and Digital Realty NYSE DLR own 487 of the datacenter
facilities used by the VPN industrys two largest hosting providers
Both are US companies As facility operators they control physical
access to the buildings though colocation customers typically use
locked cages or racks with their own access controlspp51 of 156 VPNhosting facilities 327 Top shareholders
Vanguard Group BlackRock State Street 938 institutional
ownership Equinix maintains a
Government
Advisory Board whose members includeppEquinix acquired Terremark Federal Group bringing in 33 employees
with government security clearances Equinix operates
a
Federal
Government Solutions division with procurement contracts via
CarahsoftppSource
Equinix blog Gov Advisory Board
Equinix board of directors
Yahoo Finance EQIX holderspp25 of 156 VPNhosting facilities 160 Top shareholders
Vanguard Group 155 BlackRock Cohen Steers Norges Bank
Norwegian sovereign wealth fund State Street Board member
Kevin J Kennedy former Avaya CEO was appointed by
President Obama to the Presidents National Security
Telecommunications Advisory Committee in 2010ppSource
Digital Realty board
Yahoo Finance DLR holders
Wikipedia Kevin J Kennedy
NSTAC appointment confirmedppVanguard Group BlackRock and State Street are top shareholders
of both Equinix and Digital Realty These are the three largest
passive index fund managers in the world and hold major positions in
most publicly traded companies The common ownership is a structural
feature of modern capital markets not specific to the datacenter
industryppSource
PeeringDB M247 net906
65 facilities queried via API netfacnetid906
PeeringDB CDN77Datacamp net10839
91 facilities queried via API netfacnetid10839
Building ownership attributed from facility names in PeeringDB
records eg facilities named Equinix code attributed to
Equinix IncppVPN providers advertise servers in dozens of countries But the IP
addresss geolocation and the servers physical location are often
different Comparing IP geolocation data ipapicom against ASN
registration country Team Cymru for an evenly distributed sample
of 200 blocks from the 6429 totalppExamples from the datappWhen a user connects to VPN server in Nepal the traffic may
physically exit from a Datacamp server in a US or UK datacenter The
geolocation databases report Nepal because the IP range has been
geolocated there but the hardware the network and the legal
jurisdiction are in the hosting providers actual country of
operation An
XDA
investigation independently confirmed this practice across
multiple VPN providersppThis means the geographic diversity that VPN providers advertise
servers in 100 countries may overstate the actual physical
footprint A significant fraction of global VPN infrastructure
physically resides in a smaller number of countries where the
hosting providers operate datacentersppSource
ipapicom batch API
Team Cymru ASN DNS
200block sample from 6429 unique blocks
XDA investigation
independently confirmed virtual location practices
Analysis date April 7 2026ppASN registration country does not determine where servers
physically are M247 is registered in Romania but operates in 25
countries Datacamp is registered in the UK but has facilities in
40 countries PeeringDB facility data shows the actual datacenter
locations where M247 and Datacamp the two largest thirdparty VPN
hosts have physical equipmentppOf the 156 physical datacenter facilities used by M247 and
Datacamp 61 391 are in Five Eyes countries The US alone
accounts for 40 facilities 256 Every facility country has at
least one documented intelligence sharing agreement MLAT bilateral
alliance membership or EU framework For percountry surveillance
law details see the
CodaMail
Privacy Law DirectoryppSource PeeringDB facility data for
M247 and
CDN77Datacamp
data sharing frameworks from CodaMail Privacy Law Directory
Analysis date April 7 2026ppMapping the physical facilities of the five largest thirdparty
VPN hosting providers M247 DatacampCDN77 Clouvider DigitalOcean
Vultr via PeeringDB reveals 101 cities worldwide where VPN hosting
infrastructure exists Three cities host all five providers
simultaneouslyppIn Dallas 9 of 10 VPN hosting facilities are Equinix buildings
In Sydney all 7 are Equinix In Singapore all 5 are Equinix In
London 7 of 8 are Telehouse KDDI Japan The hosting companies
serving dozens of VPN brands operate from a small number of
buildings in each cityppSource PeeringDB facility API for
M247
Datacamp
Clouvider
DigitalOcean
Vultr
Building ownership from facility namesppThe sections above document infrastructure concentration The
sections below examine three ownership chains that stood out
during the investigationppKape Technologies owns three of the 11 major providers analyzed
ExpressVPN CyberGhost and Private Internet Access combined 663
24 blocks The ownership chainppSource
Wikipedia Kape Technologies
Wikipedia Teddy Sagi
CyberInsider KapeCrossrider
CyberInsider Kape VPN acquisitions
TorrentFreak Kape acquires review sitesppWLVPN is a whitelabel VPN service that provides infrastructure
for other companies to resell under their own brand The ownership
chainppWLVPNs infrastructure powers VPN services for 100 businesses
including StrongVPN OverPlay VPN Encryptme and VPNhub
Pornhubs VPN Ziff Davis also owns IGN PCMag Mashable and
other tech media properties that review VPN productsppSource
Wikipedia IPVanish
VPNpro 105 VPNs 24 companies
Top10VPN NetProtect acquisitionsppFive free VPN apps in our dataset PotatoVPN XVPN ThunderVPN
TurboVPN UrbanVPN share infrastructure heavily concentrated on
OVH and Scaleway French hosting The ownership chain for the
largest of these traces to Chinese stateaffiliated entitiesppThese apps have been downloaded over 86 million times across
iOS and Android A
Top10VPN
investigation documented the secretive Chinese ownership
structure A separate
Comparitech
investigation traced China and Russialinked VPNs on major app
storesppSource
Top10VPN Chinese ownership investigation
Security Affairs Chinese VPN companies
Malwarebytes Chinese militarylinked VPNsppAt the infrastructure level most commercial VPN services are not
independent of each other Brand competition happens at the marketing
layer different names different privacy policies different
jurisdictional claims At the network layer traffic from dozens of
competing providers runs on the same hosting companies operating
from the same datacenter facilities in the same cities The data does not
show that this infrastructure is compromised It shows that the
diversity VPN users believe they are purchasing largely does not
exist below the application layerppThis document will be updated as research continues The
X4BNet
VPN IP database tracks 10793 CIDR ranges across VPN providers
autoupdated via GitHub Actions and may be incorporated in future
analysisp
