VPN Infrastructure Exposed

The Question

VPN providers market themselves as independent services in diverse jurisdictions. This investigation asks a structural question: does the global VPN industry's physical infrastructure actually reflect that diversity, or does it concentrate in a small number of hosting companies, buildings, and jurisdictions? We traced the path from VPN provider to hosting company to physical datacenter building to building owner. The findings:

• 50 VPN providers analyzed, 6,429 unique /24 network blocks identified, all resolved to hosting provider via Team Cymru ASN DNS.
• 41 of 50 providers use M247 (UK) or Datacamp/CDN77 (UK) or both.
• Those hosting companies rent rack space in buildings owned primarily by Equinix (US) and Digital Realty (US) -- two companies with publicly disclosed government advisory roles, including former defense and intelligence officials.
• 73% of VPN server IPs geolocate to a different country than where the hosting network is registered -- many "servers" in exotic locations are physically in US or UK datacenters.
• 5 parent companies control 8 of 11 major VPN brands. One (Kape Technologies) was founded as an adware company. Another cluster of free VPN apps traces to a Chinese military-linked firm.
• The concentration is not an artifact of one data source: an independent VPN IP database (X4BNet, 10,577 ranges) resolved through the same method puts the same two UK-headquartered hosts at the top -- M247 and Datacamp together account for 43.9% of its ranges (71.1% excluding pure CDN/transit networks).

Methodology

This analysis uses four layers of public data, cross-checked against a fifth independent dataset:

• VPN server IPs: Extracted from the Netify VPN server database for all 50 tracked providers. IPs converted to /24 network blocks for comparison.
• ASN resolution: All 6,429 unique /24 blocks resolved via Team Cymru IP-to-ASN DNS to identify the hosting company operating each network.
• Physical facility mapping: PeeringDB facility data for the major hosting providers (M247, Datacamp/CDN77, Clouvider, DigitalOcean, Vultr) to identify which datacenter buildings house VPN infrastructure and who owns those buildings.
• Geolocation comparison: ip-api.com batch geolocation compared against ASN registration country to detect virtual locations -- servers that claim to be in one country but are physically hosted elsewhere.
• Independent validation: the X4BNet lists_vpn database -- an open-source VPN/proxy IP reputation list compiled by a different team and method than Netify -- resolved through the same Team Cymru ASN service as a cross-check that the concentration is not an artifact of a single source. Results in the Independent Validation section below.

Cross-provider overlap was measured by comparing /24 blocks. If two VPN providers have IPs within the same /24 block, those IPs are originated by the same ASN -- meaning they are on the same network operator's infrastructure. This does not guarantee they share the same physical server, rack, or even building, as a /24 (256 addresses) can be subnetted across multiple locations by the same operator. Corporate ownership was verified through public filings, Wikipedia, and commercial registries.

The Providers Analyzed

Plus 39 additional providers analyzed (8-463 blocks each): PotatoVPN, X-VPN, UrbanVPN, ZoogVPN, WLVPN, VPN Unlimited, ThunderVPN, HMA, TorGuard, TurboVPN, Hola VPN, AirVPN, SlickVPN, GhostPath, Browsec, Speedify, PrivateVPN, TikVPN, VyprVPN, AzireVPN, FastestVPN, VPN Lumos, VPNSecure, Anonine, BoxPN, EasyHideVPN, FrootVPN, CryptoStorm, OVPN, OctoVPN, Getflix, PrivadoVPN, SSHOcean, SecureVPN, PureVPN, AvastVPN.

Total: 6,429 unique /24 blocks across 50 providers. 1,723 of these (27%) are used by two or more providers.

Source: Netify VPN server database, April 2026. Parent company ownership from Wikipedia: Kape, Wikipedia: NordVPN, Wikipedia: IPVanish, and public filings.

Ownership Consolidation

Before examining hosting infrastructure, the provider list itself reveals consolidation. Of the 11 largest providers:

• Nord Security owns both NordVPN and Surfshark (merged 2022). Combined: 2,880 /24 blocks -- 54% of the dataset. Parent entity Tesonet also owns Cybernews (review site) via its Mediatech subsidiary.
• Kape Technologies (Israel/UK) owns ExpressVPN, CyberGhost, Private Internet Access, and ZenMate. Combined: 663 blocks. Also owns VPN review sites vpnMentor, Wizcase, and Safety Detectives.
• Ziff Davis (USA) owns IPVanish, StrongVPN, Encrypt.me, SaferVPN, and the WLVPN white-label platform (most consolidated under IPVanish). Also owns PCMag and Mashable.
• McAfee (USA) owns TunnelBear. McAfee's own bundled VPN (Safe Connect) runs on TunnelBear infrastructure.
• Point Wild (USA, formerly Pango Group/Aura) owns Hotspot Shield, Betternet, Touch VPN, VPN 360, and Ultra VPN. Also owns Comparitech (VPN review site).

Five parent companies control 8 of the 11 major VPN brands analyzed, plus numerous additional brands not in our dataset. Only Proton VPN, Mullvad, and Windscribe operate under independent ownership. Four of the five parent companies also own publications that review VPN products.

Source: Tom's Guide: Who really owns your VPN?; Wikipedia: Tesonet; TechRadar: Kape/Webselenese acquisition; Wikipedia: Ziff Davis; PR Newswire: Pango Group/Point Wild merger; Windscribe: VPN relationship map

The Hosting Concentration

All 6,429 unique /24 blocks resolved via Team Cymru ASN DNS. 491 unique ASNs identified across 50 VPN providers:

Jurisdictional concentration (excluding VPN-owned infrastructure):

Source: Team Cymru IP-to-ASN DNS; Netify VPN database; ARIN/ RIPE WHOIS. Analysis date: April 6-7, 2026.

Cross-Provider Overlap

Across all 50 providers, 1,723 /24 blocks (27%) are shared by two or more VPN providers. 557 by 3+, 226 by 4+, 75 by 5+, 29 by 6+, 10 by 7+, and 2 blocks by 8 providers simultaneously. The top pairwise overlaps (from the 11 major providers):

The NordVPN-Surfshark overlap (106 blocks) and CyberGhost-PIA overlap (101 blocks) are expected -- these are sister companies under the same parent (Nord Security and Kape Technologies respectively). The cross-ownership overlaps (NordVPN-Proton: 73, NordVPN-Windscribe: 70, Surfshark-Proton: 54) indicate shared third-party hosting providers.

The most-shared blocks across all 50 providers:

The Concentration Problem

VPN providers market themselves as independent services operating in privacy-friendly jurisdictions. The infrastructure data tells a different story. Across 50 providers and 6,429 network blocks:

• 27% of /24 blocks (1,723 of 6,429) are shared by two or more VPN providers on the same hosting company's network.
• M247 hosts servers for 38 of 50 tracked providers. Datacamp/CDN77 hosts servers for 26 of 50. Combined, 41 of 50 providers use at least one of these two UK-headquartered companies.
• Every physical datacenter facility identified for M247 and Datacamp (156 total across 47 countries) is in a country with at least one documented intelligence sharing agreement.

The result is that providers who market different jurisdictions, different privacy policies, and different corporate structures converge on the same small group of hosting companies. Proton VPN (marketed as "Swiss privacy") shares /24 blocks with NordVPN (Panama), Surfshark (Panama), Mullvad (Sweden), Windscribe (Canada), and Hotspot Shield (USA) -- all on Datacamp and M247 infrastructure in the UK. A user who switches VPN providers for jurisdictional reasons may find their traffic exiting through the same datacenter facility regardless of which provider they choose -- and as documented below, that rack may not be in the country the VPN claims.

What the Data Shows

This analysis documents infrastructure concentration: a small number of hosting companies, in a small number of datacenter buildings, in a small number of jurisdictions, carry traffic for the majority of commercial VPN providers. This is a structural observation about how the industry is built, not an allegation that any provider or hosting company has been compromised.

Historical Context

Separately, Snowden-era documents (2013) revealed the NSA's Bullrun program and GCHQ's Edgehill program, both aimed at defeating VPN encryption. By 2010, GCHQ was unscrambling VPN traffic for 30 targets with a goal of 300. The disclosed methods included "industry relationships" and infrastructure compromise.

This investigation does not link the documented infrastructure concentration to those programs. It observes that the concentration creates the structural conditions where a small number of access points could cover a large fraction of global VPN traffic. Whether that concentration exists due to market economics (which adequately explains it) or for other reasons, the structural reality is the same.

Source: Bullrun/Edgehill: Wikipedia; ProPublica. M247 VPN hosting: m247global.com. Datacamp bare metal: datapacket.com.

Recent Precedent: A VPN User Database Seized (May 2026)

In May 2026, a multinational operation provided a concrete illustration of what happens to a VPN's records under legal pressure. In Operation Saffron (May 19-20, 2026), law enforcement led by France and the Netherlands -- with Europol, Eurojust, and the security firm Bitdefender -- dismantled "First VPN" (marketed at 1vpns.com), a "bulletproof" anonymisation service that since 2014 had served as the infrastructure layer for at least 25 ransomware groups as well as fraud networks, botnets, and phishing operations. Authorities seized 33 servers across 27 countries, took down the primary domains, and interviewed the Ukrainian operator.

First VPN was a criminal service, not one of the 50 commercial providers analysed here, and there is no suggestion that any commercial provider was involved. But the case is instructive for two reasons directly relevant to this report. First, it confirms that a VPN's subscriber records can be seized in bulk and redistributed across exactly the international data-sharing frameworks tabulated above (Europol, Eurojust, MLATs, and bilateral cooperation). Second, it shows that the practical value of a "no-log" claim depends entirely on whether logs actually exist on the hardware when servers are seized -- and physical control of that hardware sits with the hosting company and its jurisdiction, not the VPN brand. As the facility tables below show, the buildings that carry the bulk of commercial VPN traffic are concentrated in countries that each have at least one such data-sharing agreement.

Source: Help Net Security: Authorities dismantle First VPN (May 21, 2026); Europol newsroom; per-country data-sharing frameworks via the CodaMail Privacy Law Directory (EU / Europol section).

The Building Owners

The hosting providers (M247, Datacamp) don't own the datacenter buildings. They rent rack space from datacenter operators. PeeringDB lists the facilities where M247 (65 facilities) and Datacamp/CDN77 (91 facilities) have a presence. We cannot map specific VPN IPs to specific buildings, but we can identify who owns the buildings these hosting companies operate from:

Building ownership was determined from PeeringDB facility names (e.g., "Equinix DC1-DC15" or "Digital Realty Frankfurt FRA1-27"). Two US publicly traded real estate investment trusts -- Equinix (NYSE: EQIX) and Digital Realty (NYSE: DLR) -- own 48.7% of the datacenter facilities used by the VPN industry's two largest hosting providers. Both are US companies. As facility operators, they control physical access to the buildings, though colocation customers typically use locked cages or racks with their own access controls.

Equinix (NYSE: EQIX)

51 of 156 VPN-hosting facilities (32.7%). Top shareholders: Vanguard Group, BlackRock, State Street (93.8% institutional ownership). Equinix maintains a Government Advisory Board whose members include:

• Former CIO of the National Reconnaissance Office (NRO) -- the US intelligence community agency that designs, builds, and operates reconnaissance satellites
• Former CTO and Deputy CIO of NASA + CIO for Science and Technology at the Department of Homeland Security
• Former Director of Network Services and Deputy CIO at DISA (Defense Information Systems Agency) -- 30 years managing military/defense communications networks

Equinix acquired Terremark Federal Group, bringing in 33 employees with government security clearances. Equinix operates a Federal Government Solutions division with procurement contracts via Carahsoft.

Source: Equinix blog: Gov Advisory Board; Equinix board of directors; Yahoo Finance: EQIX holders

Digital Realty (NYSE: DLR)

25 of 156 VPN-hosting facilities (16.0%). Top shareholders: Vanguard Group (~15.5%), BlackRock, Cohen & Steers, Norges Bank (Norwegian sovereign wealth fund), State Street. Board member Kevin J. Kennedy (former Avaya CEO) was appointed by President Obama to the President's National Security Telecommunications Advisory Committee in 2010.

Source: Digital Realty board; Yahoo Finance: DLR holders; Wikipedia: Kevin J. Kennedy (NSTAC appointment confirmed)

Common Ownership

Vanguard Group, BlackRock, and State Street are top shareholders of both Equinix and Digital Realty. These are the three largest passive index fund managers in the world and hold major positions in most publicly traded companies. The common ownership is a structural feature of modern capital markets, not specific to the datacenter industry.

Source: PeeringDB: M247 (net/906) -- 65 facilities queried via API (netfac?net_id=906); PeeringDB: CDN77/Datacamp (net/10839) -- 91 facilities queried via API (netfac?net_id=10839). Building ownership attributed from facility names in PeeringDB records (e.g., facilities named "Equinix [code]" attributed to Equinix, Inc.).

Virtual Locations: Where Your Server Really Is

VPN providers advertise servers in dozens of countries. But the IP address's geolocation and the server's physical location are often different. Comparing IP geolocation data (ip-api.com) against ASN registration country (Team Cymru) for an evenly distributed sample of 200 blocks from the 6,429 total:

• 73% of blocks have a geolocation that does not match the ASN registration country.
• 30% of blocks registered in UK/US/DE/RO/NL geolocate to entirely different countries.

Examples from the data:

When a user connects to "VPN server in Nepal," the traffic may physically exit from a Datacamp server in a US or UK datacenter. The geolocation databases report Nepal because the IP range has been geolocated there -- but the hardware, the network, and the legal jurisdiction are in the hosting provider's actual country of operation. An XDA investigation independently confirmed this practice across multiple VPN providers.

This means the geographic diversity that VPN providers advertise (servers in "100+ countries") may overstate the actual physical footprint. A significant fraction of "global" VPN infrastructure physically resides in a smaller number of countries where the hosting providers operate datacenters.

Source: ip-api.com batch API; Team Cymru ASN DNS. 200-block sample from 6,429 unique blocks. XDA investigation independently confirmed virtual location practices. Analysis date: April 7, 2026.

Where the Infrastructure Physically Sits

ASN registration country does not determine where servers physically are -- M247 is registered in Romania but operates in 25+ countries; Datacamp is registered in the UK but has facilities in 40+ countries. PeeringDB facility data shows the actual datacenter locations where M247 and Datacamp (the two largest third-party VPN hosts) have physical equipment:

Of the 156 physical datacenter facilities used by M247 and Datacamp, 61 (39.1%) are in Five Eyes countries. The US alone accounts for 40 facilities (25.6%). Every facility country has at least one documented intelligence sharing agreement (MLAT, bilateral, alliance membership, or EU framework). For per-country surveillance law details, see the CodaMail Privacy Law Directory.

Source: PeeringDB facility data for M247 and CDN77/Datacamp; data sharing frameworks from CodaMail Privacy Law Directory. Analysis date: April 7, 2026.

Chokepoint Cities

Mapping the physical facilities of the five largest third-party VPN hosting providers (M247, Datacamp/CDN77, Clouvider, DigitalOcean, Vultr) via PeeringDB reveals 101 cities worldwide where VPN hosting infrastructure exists. Three cities host all five providers simultaneously:

In Dallas, 9 of 10 VPN hosting facilities are Equinix buildings. In Sydney, all 7 are Equinix. In Singapore, all 5 are Equinix. In London, 7 of 8 are Telehouse (KDDI, Japan). The hosting companies serving dozens of VPN brands operate from a small number of buildings in each city.

Source: PeeringDB facility API for M247, Datacamp, Clouvider, DigitalOcean, Vultr. Building ownership from facility names.

Independent Validation: The X4BNet VPN IP Database

Every number above derives from a single source for the server IPs: the Netify VPN database. A reasonable objection is that the concentration we found could be an artifact of how one source compiles its list. To test that, we repeated the core ASN analysis against a completely independent dataset: X4BNet's lists_vpn, an open-source IP reputation list (auto-updated via GitHub Actions and widely used for VPN/proxy detection) that is compiled by a different method and a different team than Netify.

We retrieved the X4BNet VPN list on June 1, 2026 -- 10,577 IPv4 CIDR ranges -- took one representative IP from each range, and resolved all of them through the same Team Cymru bulk ASN service used earlier. The ranges mapped to just 94 distinct ASNs. The result is not a restatement of the Netify finding; it is an independent dataset reaching the same conclusion.

Hosting concentration in the X4BNet VPN list:

The CDN Caveat

X4BNet's VPN list is broader than the 50 consumer brands tracked earlier. Because it is built for proxy/VPN detection, it also captures CDN- and transit-based anonymisation infrastructure -- Cloudflare (17.6%), Akamai (10.3%), Fastly (3.0%), and Cogent (6.0%) -- which are not traditional consumer-VPN exit hosts. This is a feature, not a flaw: it shows the X4BNet list is genuinely independent and not a copy of the Netify set. When those pure CDN/transit networks (37% of the list) are removed, the remaining 6,529 ranges are dedicated VPN-hosting infrastructure, and M247 plus Datacamp account for 71.1% of it.

Jurisdiction Holds Too

Grouping the 94 ASNs by the operator's country of registration reproduces the same jurisdictional picture:

Seventeen of the ASNs named in this report's own hosting table reappear in the X4BNet list independently -- M247, Datacamp, CDN77, PacketHub (Nord), Cyberzone (Surfshark), GSL Networks, Host Universal, EstNoc, tzulo, Vultr, Zenlayer, OVH, Clouvider, HostRoyale, GTHost, Latitude.sh, and Cogent. Two source lists built by different teams, using different methods, converge on the same operators and the same jurisdictions. The concentration documented in this report is a property of the VPN industry's infrastructure, not of any single data source.

Source: X4BNet/lists_vpn (output/vpn/ipv4.txt), retrieved June 1, 2026: 10,577 IPv4 ranges. ASN resolution via Team Cymru bulk whois (whois.cymru.com), one representative IP per range. Operator jurisdiction from ASN registration data. Analysis date: June 1, 2026.

The Broader Substrate: X4BNet's Datacenter List

X4BNet publishes a second, much larger file: a datacenter IP list of 42,291 IPv4 ranges. Unlike the VPN list, this is not VPN-specific -- it is the general hosting and cloud substrate that VPN exit nodes are built on top of. Resolving all 42,291 ranges through Team Cymru yields 811 distinct ASNs, dominated (as expected) by the hyperscale clouds. But the position of the two VPN-hosting companies within it is the point of interest.

Important caveat: X4BNet's datacenter list is a detection/reputation list, not a neutral census of global datacenter IP allocation. It is curated to flag hosting, VPN, and proxy ranges for abuse detection, so networks heavily used for VPN/proxy traffic (such as M247 and Datacamp) are likely tracked more exhaustively than the ordinary corporate-cloud ranges of the hyperscalers. The ranking below therefore reflects prominence within this list, not a measurement of each company's total share of all datacenter IP space on the internet.

Top operators in the datacenter list (corporate families aggregated across their multiple ASNs):

The substrate is itself concentrated: of 811 ASNs, the top 10 account for 36.3% of all ranges, the top 25 for 54.3%, and the top 50 for 68.0%. By operator registration country, the list breaks down as:

The same US/UK skew documented for VPN-specific infrastructure holds for the broader hosting substrate: just over half of all tracked datacenter ranges are operated by US-registered companies, and Five Eyes jurisdictions account for 61.3%. The VPN industry's reliance on M247 and Datacamp is not an anomaly against this backdrop; it is a concentrated draw from an already-concentrated, already US/UK-weighted pool of hosting capacity.

Source: X4BNet/lists_vpn (output/datacenter/ipv4.txt), retrieved June 1, 2026: 42,291 IPv4 ranges. ASN resolution via Team Cymru bulk whois, one representative IP per range; corporate families aggregated across their constituent ASNs. This is a detection-oriented reputation list, not a complete census of datacenter IP allocation. Analysis date: June 1, 2026.

Notable Ownership Chains

The sections above document infrastructure concentration. The sections below examine three ownership chains that stood out during the investigation.

Kape Technologies: From Adware to VPN Empire

Kape Technologies owns three of the 11 major providers analyzed: ExpressVPN, CyberGhost, and Private Internet Access (combined: 663 /24 blocks). The ownership chain:

• Founded as Crossrider in 2011 (Israel). Crossrider built a browser extension platform used for ad injection. In 2015, A 2015 Google/UC Berkeley study identified Crossrider as controlling 42-44% of the ad-injection market. Malwarebytes classifies Crossrider as adware.
• Acquired by Teddy Sagi in 2012 (~$37M). Sagi is an Israeli billionaire who was convicted in 1996 of bribery, securities fraud, and stock manipulation and served prison time. He subsequently founded Playtech (online gambling software) and built a ~$5B fortune. Sagi is linked to 16 offshore companies in the ICIJ Panama Papers database.
• IPO on London AIM in 2014 ($75M raised, $250M valuation).
• Rebranded to Kape Technologies in 2018. CEO stated the name change was to escape "strong association to the past activities of the company."
• Acquisitions: CyberGhost ($9.8M, 2017), PIA ($95.5M, 2019), ExpressVPN ($936M, 2021), ZenMate (2021). Also acquired Webselenese ($149.1M, 2021), gaining VPN review sites vpnMentor, Wizcase, and Safety Detectives.
• Taken private in 2023 by Unikmind Holdings (Teddy Sagi's holding company) at ~$1.51B valuation. Financial reporting is no longer public.

Source: Wikipedia: Kape Technologies; Wikipedia: Teddy Sagi; CyberInsider: Kape/Crossrider; CyberInsider: Kape VPN acquisitions; TorrentFreak: Kape acquires review sites

WLVPN: White-Label Infrastructure

WLVPN is a white-label VPN service that provides infrastructure for other companies to resell under their own brand. The ownership chain:

• Highwinds Network Group (Florida) created IPVanish and operated WLVPN.
• StackPath acquired Highwinds in 2017, gaining IPVanish, StrongVPN, and WLVPN.
• j2 Global (now Ziff Davis, NYSE: ZD) acquired IPVanish/StrongVPN/Encrypt.me from StackPath in 2019 via its NetProtect division.
• StackPath liquidated in 2024. Ziff Davis/NetProtect fully absorbed remaining VPN assets.

WLVPN's infrastructure powers VPN services for 100+ businesses including StrongVPN, OverPlay VPN, Encrypt.me, and VPNhub (Pornhub's VPN). Ziff Davis also owns IGN, PCMag, Mashable, and other tech media properties that review VPN products.

Source: Wikipedia: IPVanish; VPNpro: 105 VPNs, 24 companies; Top10VPN: NetProtect acquisitions

Free VPN Cluster: Chinese Military-Linked Ownership

Five free VPN apps in our dataset (PotatoVPN, X-VPN, ThunderVPN, TurboVPN, UrbanVPN) share infrastructure heavily concentrated on OVH and Scaleway (French hosting). The ownership chain for the largest of these traces to Chinese state-affiliated entities:

• TurboVPN is developed by Innovative Connecting Pte. Ltd. (Singapore). Director: Danian "Danny" Chen, a Chinese national listed among Forbes' most influential young Chinese leaders and the 400 richest Chinese. Chen is founder/CEO of Linksure, which is the shareholder of Innovative Connecting.
• Innovative Connecting's corporate shareholder is Lemon Seed Technology Ltd. (Cayman Islands).
• Chinese cybersecurity firm Qihoo 360 disclosed in a 2019 annual report that it acquired Lemon Seed and two related companies (Lemon Clove, Autumn Breeze). In 2020, the US Commerce Department sanctioned Qihoo 360 on national security grounds. In 2022, the US Department of Defense added Qihoo 360 to its list of "Chinese military companies" operating in the US. Qihoo 360's customers have included China's People's Liberation Army and at least eight Chinese government ministries (per state-run China Daily, 2015).
• The same corporate directors appear across Innovative Connecting (TurboVPN), Autumn Breeze (Snap VPN), and Lemon Clove (VPN Robot). Recent filings (March 2025) list Chen Ningyi -- identified as a former Qihoo 360 general manager -- as director of all four entities.
• X-VPN is operated by Free Connected Ltd. (Hong Kong).

These apps have been downloaded over 86 million times across iOS and Android. A Top10VPN investigation documented the secretive Chinese ownership structure. A separate Comparitech investigation traced China and Russia-linked VPNs on major app stores.

Source: Top10VPN: Chinese ownership investigation; Security Affairs: Chinese VPN companies; Malwarebytes: Chinese military-linked VPNs

The Takeaway

At the infrastructure level, most commercial VPN services are not independent of each other. Brand competition happens at the marketing layer -- different names, different privacy policies, different jurisdictional claims. At the network layer, traffic from dozens of "competing" providers runs on the same hosting companies, operating from the same datacenter facilities, in the same cities. The data does not show that this infrastructure is compromised. It shows that the diversity VPN users believe they are purchasing largely does not exist below the application layer.

Ongoing Investigation

This is a living document, updated as research continues. The X4BNet VPN IP database -- referenced in earlier versions as a future cross-check -- has now been incorporated (see Independent Validation above): its 10,577 VPN ranges, resolved independently, confirm the same M247/Datacamp concentration and the same Five Eyes jurisdictional skew.

Work still open for future updates:

• Building-owner mapping for the broader substrate. The X4BNet datacenter list has now been resolved (see The Broader Substrate above), extending the concentration and jurisdiction picture. What it cannot do on its own is map IP ranges to physical buildings -- that requires PeeringDB facility lookups for the top substrate hosts, and the Equinix/Digital Realty building-owner lens transfers awkwardly to hyperscalers that own and operate their own datacenters. A facility-level pass on the largest non-hyperscale substrate hosts remains open work.
• IPv6. All analysis so far is IPv4 only. X4BNet and Netify both publish IPv6 ranges; VPN IPv6 allocation may concentrate differently.
• Per-range overlap between the X4BNet and Netify sets, to quantify how much of each list the other independently confirms at the individual /24 level rather than at the ASN level.
• Facility-level tracking as PeeringDB records change, since hosting companies periodically enter and leave datacenter buildings.