One Company Owns Your VPN, Your Backup VPN, and the Website That Told You to Use Both
Tue, Mar 10, 2026 • 17 min read
In September 2021, the U.S. Department of Justice announced charges against three former American intelligence operatives who had built surveillance tools for the United Arab Emirates.
Zero-click exploits. Remote device takeover. Credential harvesting. Tools used to spy on journalists, human rights activists, and political dissidents.
One of those three operatives was the Chief Information Officer of ExpressVPN.
The DOJ announcement came one day after ExpressVPN was sold for $936 million.
The buyer was a company called Kape Technologies.
You've probably never heard of Kape Technologies but you've definitely heard of their products.
Table of Contents
1 The Company That Owns Your Privacy VPN
2 What Crossrider Was (Adware With a Corporate Face)
3 The Acquisition Spree (Three VPNs, One Owner)
4 The Review Sites They Also Own
5 The ExpressVPN CIO Who Built Spy Tools for the UAE
6 PIA: The Court-Tested No-Logs Policy That Got Sold to the Adware Company
7 CyberGhost: The Policy Contradiction.
8 Sources
9 FAQ: The Counterarguments, Addressed
The Company That Owns Your "Privacy" VPN
Open any privacy forum. Watch any privacy YouTuber. Read any best VPN comparison article.
You will see these names:
ExpressVPN
Private Internet Access
CyberGhost
Recommended separately. Reviewed independently. Priced differently. Branded differently. Positioned as competitors.
They are all owned by Kape Technologies.
Before Kape was Kape, it was Crossrider.
And before it was selling you privacy software, it was selling something else entirely.
What Crossrider Was
Crossrider launched in 2011 as a browser extension development platform.
The business model was simple. Developers used Crossrider's toolkit to build browser extensions. Those extensions were distributed through freeware bundles and download portals. When users installed free software, they got the extensions too, whether they asked for them or not.
What did the extensions do?
Injected advertisements directly into webpages
Modified browser settings without explicit consent
Installed tracking scripts
Persisted across browser sessions
Security vendors didn't call this a privacy product. They called it adware.
The detection name:
Malwarebytes blocks Adware.CrossRider
PUP stands for Potentially Unwanted Program. It's the industry's polite way of saying: software that ends up on your machine without your understanding and does things you didn't ask for.
In 2015, a joint study by Google and UC Berkeley researchers analyzed the ad-injection ecosystem, the infrastructure used to inject unauthorized advertising into users' browsers. Crossrider was identified as one of several extension frameworks used in the browser ad-injection ecosystem analyzed in the study.
In March 2018, Crossrider announced a strategic pivot. They were exiting the advertising extension business. They were rebranding. The company's own leadership acknowledged the rebrand was partly to escape the associations with their earlier activities.
The new name: Kape Technologies.
And then they started buying VPNs.
The Acquisition Spree
The timeline is worth reading slowly.
Four VPN brands. One owner. A combined user base in the tens of millions.
And every single one of these brands continues to market itself as an independent privacy service.
None of the marketing pages lead with "owned by the company formerly known for adware infrastructure."
None of the comparison articles discloses that when they recommend both ExpressVPN and CyberGhost as alternatives to each other, they're recommending two subsidiaries of the same corporation.
When the PIA acquisition was announced in November 2019, the privacy community reacted immediately:
"PIA is potentially dead. Pending acquisition by an adware company."
"When you research Crossrider (now Kape) you find numerous articles about Crossrider malware and adware."
When the ExpressVPN acquisition was announced in September 2021, the framing was the same:
"Former Malware Distributor Kape Technologies Now Owns ExpressVPN, CyberGhost, Private Internet Access, Zenmate, and a Collection of VPN Review Websites." Notice that last part.
A collection of VPN review websites.
The Review Sites They Also Own
In March 2021, six months before buying ExpressVPN, Kape Technologies purchased a company called Webselenese for approximately $149 million.
Webselenese operated three of the most-visited VPN review properties on the internet:
vpnMentor
Wizcase
SafetyDetectives
Millions of monthly visitors. Millions of users making VPN purchasing decisions based on rankings published on these sites.
After the acquisition, researchers analyzing the rankings found Kape-owned VPNs appearing prominently at the top of "Best VPN" recommendation lists on the same sites Kape now owned. Some reports noted competitor VPNs dropped in ranking or disappeared from lists entirely after the acquisition.
The ownership disclosure exists on these sites.
It is not in the headline. It is not in the review. It is behind a small link that most users never click.
So here is what the full Kape ecosystem looks like, drawn out completely:
Kape owns the VPNs. Kape owns the websites that review the VPNs. Those websites recommend the VPNs Kape owns. The connection between reviewer and reviewed is disclosed in small print.
When your favorite privacy website tells you ExpressVPN is the top-rated VPN and CyberGhost is the runner-up, there is a chance you are reading a Kape subsidiary recommending Kape subsidiaries.
The ExpressVPN CIO Who Built Spy Tools for the UAE
Daniel Gericke joined ExpressVPN as Chief Information Officer in December 2019.
ExpressVPN knew his background when they hired him. They said so publicly. They called it an asset.
Here is the background they knew:
Gericke was one of three former U.S. intelligence and military personnel who worked on Project Raven, a covert cyber-operations program run by the United Arab Emirates.
What Project Raven built:
1 KARMA: a zero-click surveillance exploit capable of compromising iPhones without any user interaction
2 Remote device takeover tools
3 Credential harvesting systems that extracted login tokens, messages, and authentication data
4 Infrastructure designed to access devices and accounts without the target's knowledge
Who those tools were used against: 1 Journalists
2 Human rights activists
3 Political opponents of the UAE government
4 Rival governments
In September 2021, the DOJ announced a Deferred Prosecution Agreement. Gericke and two others admitted to violations related to U.S. hacking laws and export control regulations (ITAR). The three defendants paid a combined $1.6 million. Gericke personally paid $335,000. They forfeited their security clearances. They accepted restrictions on future offensive cyber operations work. They agreed to cooperate with the FBI.
The DOJ announcement: September 14, 2021. Kape announced the $936 million acquisition of ExpressVPN: September 13, 2021.
One day apart.
ExpressVPN's official response was not an apology. It was a defense:
"We've known the key facts relating to Daniel's employment history since before we hired him… his history and expertise made him an invaluable hire."
And: "We do not condone Project Raven."
They hired the man. They kept him after the DOJ announcement. They defended the decision publicly. They said his expertise in building offensive surveillance tools made him invaluable for defending their users.
Edward Snowden the person whose revelations about mass surveillance motivated the entire modern privacy software industry publicly criticized the hiring and advised users to reconsider trusting the service.
The VPN built on the promise of protecting journalists and activists hired and defended an executive who previously worked on tools later reported to have been used against journalists and activists.
PIA: The Court-Tested No-Logs Policy That Got Sold to the Adware Company
Before November 2019, Private Internet Access had one of the strongest credibility stories in the VPN industry.
In 2016, U.S. federal investigators subpoenaed PIA for user activity logs as part of a criminal investigation. PIA's response was simple: there were no logs to hand over. Investigators got nothing. The architecture made compliance impossible because the data didn't exist.
That is the gold standard. Not a transparency report. Not a quarterly PDF. A real subpoena, a real investigation, and a documented result that proved the no-logs claim wasn't marketing.
Then November 2019 happened.
Kape Technologies the company that changed its name from Crossrider, the company whose previous product was flagged across four major antivirus vendors as adware bought PIA.
After the acquisition, PIA commissioned audits. They updated their privacy policy. They posted public statements saying nothing had changed from a data retention standpoint. Their official policy now reads: "neither PIA nor anyone at Kape Technologies logs or stores substantive personal data."
Note the phrasing.
The policy now needs a sentence specifically about Kape. That sentence didn't need to exist before Kape was the owner. Its presence is the acknowledgment that users needed reassurance because the question was now reasonable enough to address directly.
The 2016 subpoena proved PIA's architecture under the previous ownership.
It proved nothing about Kape's intentions under the current one.
And the audits commissioned after the acquisition are audits commissioned by Kape. The independence of the auditor doesn't change who hired them, who received the results first, and who decided what to make public.
CyberGhost: The Policy Contradiction They Hide in Plain Sight
CyberGhost is the oldest Kape acquisition. Under Kape ownership since 2017. The flagship product of the whole operation.
Before we get to the policy, look at their X account header banner.
Four words, large text, official verified account: "Stay 100% Anonymous."
With CyberGhost VPN.
Now open CyberGhost's own FAQ page on
. First question in the section. Their own words, their own website:
"No VPN service can make you 100% anonymous online. In fact, there's no software application that can guarantee such a thing."
Same company on different platforms. Two completely opposite claims.
Their social media banner promises the thing their own FAQ explicitly says no VPN can deliver. They are simultaneously running the marketing claim and publishing the disclaimer that destroys it. Most users see the banner. Almost none read the FAQ.
And it gets better. The same FAQ entry that says 100% anonymity is impossible also says:
"You can even pay anonymously for CyberGhost VPN using Bitcoin via BitPay. The only information you need to provide is an email address."
Two problems in one sentence.
Bitcoin is not anonymous. Bitcoin has a public, permanent, fully traceable blockchain. Every transaction is visible to anyone who looks. Chainalysis and Elliptic have built entire companies around tracing Bitcoin for law enforcement. The FBI has used blockchain analysis to recover millions from ransomware operators by following the ledger. Paying with Bitcoin doesn't hide you. It creates a permanent on-chain record tied to a wallet that can be traced.
And the email address they require? That is an identifier. Depending on how it was created, it links to an IP address, a device, a name, or a phone number. "The only information you need to provide" is framed as reassurance. It's actually an admission that they collect a piece of identifying information from every user, including those paying with a supposedly anonymous method.
So their answer to "how do I pay anonymously" is: use the surveillance coin and give us your email.
Now the policy. Their marketing is absolute:
"We do NOT track user traffic… browsing history, traffic destination, data content, IP addresses or DNS queries."
"We are NOT storing connection logs… no logs tied to your IP address, connection timestamp or session duration."
Now read the data collection section of that same privacy policy.
Under "Non-personal Data," CyberGhost lists what they actually collect:
1 Device type and OS version
2 Screen resolution
3 Google Advertising ID
4 Connectivity type and mobile provider
5 Referring website
6 Device metadata
Google Advertising ID.
That identifier was created for one purpose: to track users across apps and services for advertising targeting. A company whose parent built browser ad-injection infrastructure is collecting the identifier that advertising networks use to follow you around the internet, categorizing it as "non-personal data," and placing it in the same policy that opens with absolute no-logs marketing.
Some audit reports are not fully publicly accessible. The 2022 Deloitte audit is available only on request. The 2024 Deloitte audit is available only inside the paid user dashboard; you have to already be a paying customer to read what the audit of your paid service found.
Their no-logs claim has never been court-tested. No raid or subpoena. No result documented outside their own quarterly reports. Their transparency reports show zero disclosures across hundreds of thousands of quarterly requests. That's consistent with their claims. It's also a document CyberGhost wrote about CyberGhost.
The real claim isn't "we log nothing."
It's "we don't log what's inside the tunnel."
Their X banner says 100% anonymous. Their FAQ says 100% anonymous is impossible. Their policy collects your advertising ID. Their "anonymous" payment option requires an email and uses a traceable coin.
Saying four different things on four different pages and hoping you never read more than one of them.
Sources
ExpressVPN / Project Raven
U.S. Department of Justice - Deferred Prosecution Agreement announcement, September 2021
Cybernews - Daniel Gericke fined $335,000 for cyber surveillance
Security Affairs - Edward Snowden warns ExpressVPN users
TechRadar - Kape acquires ExpressVPN, $936 million, September 2021
Kape / Crossrider
Malwarebytes threat database - PUP.Optional.CrossRider
Trend Micro — Adware.CrossRider detection records
Google + UC Berkeley, 2015 — ad-injection ecosystem research paper
Kape Technologies rebrand announcement, March 2018
Webselenese / Review Sites
CyberInsider - Kape Technologies owns ExpressVPN, CyberGhost, PIA, and VPN review sites
CyberInsider - VPN review websites owned by VPNs
Kape acquires Webselenese, ~$149 million, March 2021
PIA Federal subpoena outcome, 2016 — reported across multiple tech outlets
Kape acquisition of PIA, November 2019
PIA Privacy Policy - privateinternetaccess.com/privacy-policy
TechRadar - PIA Deloitte audit, 2022
CyberGhost
CyberGhost Privacy Policy - cyberghostvpn.com/privacypolicy
CyberGhost Audit Reports in User Account - CyberGhost
Community reactions
Reddit r/VPN - ExpressVPN CIO Project Raven thread, September 2021
Reddit - Kape Technologies ownership thread, October 2021
Reddit r/Privacy - VPN review sites owned by VPNs thread
https://windscribe.com/blog/what-is-kape-technologies/
FAQ: The Counterarguments, Addressed
"Kape cleaned up its act. The rebrand was genuine."
The rebrand happened in March 2018. By November 2019, Kape had purchased a VPN. By September 2021, they'd spent $936 million buying another one. The cleanup lasted approximately eighteen months before they pivoted into selling privacy to the same users their previous tools tracked. Rebranding is not accountability. It's a new logo. The executives who ran Crossrider are the executives who ran Kape. The rebrand didn't come with a third-party audit of past practices or restitution for users who had adware installed without meaningful consent just a press release and a pivot deck.
"Daniel Gericke left ExpressVPN. The issue is resolved."
His departure doesn't change the fact that ExpressVPN hired him knowing his background, defended the decision publicly after DOJ charges were announced, and described his surveillance expertise as making him invaluable. A company's response to a scandal tells you who they are. ExpressVPN's response was to stand behind the hire. The departure came after sustained public pressure. Cleaning up after the coverage is not the same as having made a different decision in the first place.
"Security companies hire ex-hackers all the time. Isn't this just rehabilitation?"
The cybersecurity industry sometimes hires people with unusual backgrounds, and that can be valuable. But this situation is different. Gericke was not a teenage hacker who broke into systems and later changed his ways. He was a professional contractor who built zero-click surveillance tools for a foreign government’s intelligence program. These tools were used against journalists and political dissidents. There is a clear difference between someone who learned hacking on their own and someone paid by a government to create spyware aimed at the press and civil society. ExpressVPN did not hire him in spite of this background. Their own statement said his experience made him invaluable. It's not rehab that's basically hiring someone specifically for those skills.
"The review sites disclose ownership."
In small print. Behind a link. After the ranking list that most users take at face value. Disclosure that requires users to actively seek it out is not functionally different from non-disclosure for the majority of readers. If vpnMentor's top recommendation is a Kape product and the ownership connection requires clicking a footnote to discover, the default user experience is an undisclosed conflict of interest. The technical existence of a disclosure doesn't make this acceptable.
"The 2016 PIA subpoena proves the architecture works."
It proves the architecture worked in 2016, under the previous ownership, designed and operated by people with no known history in adware or surveillance software. Architecture is only as trustworthy as the people who built it, maintain it, and have access to it. The subpoena result is real and it matters. It proves something about PIA's technical design before the acquisition. It proves nothing about Kape's intentions or about what has or hasn't changed since.
"No users have been identified through Kape VPN data."
Correct. There is no confirmed logging scandal tied to any Kape-owned VPN. The argument is not that Kape is actively logging users today. The argument is that the corporate history, the review site conflicts, the Project Raven hiring decision, and the CyberGhost telemetry collection create a trust problem that users deserve to understand before making decisions. "We haven't been caught" is not a privacy guarantee.
"Every company has a complicated history."
Crossrider's history is specifically and technically relevant. The company built infrastructure to inject content into users' browsers without meaningful consent and monetized browsing behavior. That is the exact inverse of what a VPN is supposed to do. When the same corporate entity pivots from one business to another, the history is the most relevant fact about who is now holding the keys to your traffic.
"Independent audits verify the no-logs claims."
Audits verify configuration at a specific moment in time on the servers auditors examined during the scope of their engagement. They do not provide continuous monitoring. They do not verify what happens outside the VPN tunnel, account metadata, payment records, app telemetry. In CyberGhost's case, the full audit reports are not publicly accessible, meaning outside observers cannot evaluate the scope, methodology, or limitations of what was actually reviewed.
"CyberGhost's FAQ admits no VPN can give 100% anonymity. That's honest disclosure."
Their FAQ says it. Their verified X account banner simultaneously says the opposite — "Stay 100% Anonymous using CyberGhost VPN." Those two statements exist on the same day, on platforms they both control. The FAQ disclaimer is not honest disclosure. It's legal cover buried where users rarely look, while the marketing banner making the impossible promise is the first thing a potential customer sees. Burying the contradiction in the FAQ while running the opposite claim as your social media header is not transparency. It's having it both ways and hoping the banner does its job before the FAQ undoes it.
"Bitcoin payments are private enough."
Bitcoin has a public, permanent, fully traceable blockchain. Every transaction is visible to anyone who looks. Law enforcement agencies routinely use blockchain analysis firms like Chainalysis to trace Bitcoin payments. The FBI has recovered millions from ransomware operators by following the ledger. CyberGhost's FAQ calls Bitcoin an anonymous payment option while also requiring an email address to complete the purchase. An email address is an identifier. Bitcoin is a traceable ledger. Neither is anonymity. The framing of "anonymous payment" for a method that is neither anonymous nor free of identity requirements is the same pattern as the banner vs FAQ contradiction. A claim designed to reassure users who won't examine it closely.
"You're just scaring people away from VPNs."
Accurate information about corporate ownership is not fear-mongering. Millions of users are making trust decisions about products that share an undisclosed parent company with a documented adware history, review sites recommending those same products, and a major acquisition that included an executive who built surveillance tools for a foreign government. Those users deserve to know what they are actually buying. If the facts are uncomfortable for the brands, that is a product problem, not a reporting problem.
"Mullvad and other alternatives aren't perfect either."
Correct. No VPN is perfect. The point is not that a zero-trust alternative exists. The point is that the specific combination of factors surrounding Kape — adware history, review site ownership, Project Raven, telemetry collection — represents a concentration of trust concerns that is qualitatively different from ordinary corporate imperfection. Mullvad was court-tested and passed. Kape's products have not been. That gap matters when your threat model depends on it. This article is based on publicly available records, company statements, and previously published reporting.