VPN Infrastructure Exposed

The Question

VPN providers market themselves as independent services in diverse jurisdictions. This investigation asks a structural question: does the global VPN industry's physical infrastructure actually reflect that diversity, or does it concentrate in a small number of hosting companies, buildings, and jurisdictions? We traced the path from VPN provider to hosting company to physical datacenter building to building owner. The findings:

• 50 VPN providers analyzed, 6,429 unique /24 network blocks identified, all resolved to hosting provider via Team Cymru ASN DNS.
• 41 of 50 providers use M247 (UK) or Datacamp/CDN77 (UK) or both.
• Those hosting companies rent rack space in buildings owned primarily by Equinix (US) and Digital Realty (US) -- two companies with publicly disclosed government advisory roles, including former defense and intelligence officials.
• 73% of VPN server IPs geolocate to a different country than where the hosting network is registered -- many "servers" in exotic locations are physically in US or UK datacenters.
• 5 parent companies control 8 of 11 major VPN brands. One (Kape Technologies) was founded as an adware company. Another cluster of free VPN apps traces to a Chinese military-linked firm.

Methodology

This analysis uses four layers of public data:

• VPN server IPs: Extracted from the Netify VPN server database for all 50 tracked providers. IPs converted to /24 network blocks for comparison.
• ASN resolution: All 6,429 unique /24 blocks resolved via Team Cymru IP-to-ASN DNS to identify the hosting company operating each network.
• Physical facility mapping: PeeringDB facility data for the major hosting providers (M247, Datacamp/CDN77, Clouvider, DigitalOcean, Vultr) to identify which datacenter buildings house VPN infrastructure and who owns those buildings.
• Geolocation comparison: ip-api.com batch geolocation compared against ASN registration country to detect virtual locations -- servers that claim to be in one country but are physically hosted elsewhere.

Cross-provider overlap was measured by comparing /24 blocks. If two VPN providers have IPs within the same /24 block, those IPs are originated by the same ASN -- meaning they are on the same network operator's infrastructure. This does not guarantee they share the same physical server, rack, or even building, as a /24 (256 addresses) can be subnetted across multiple locations by the same operator. Corporate ownership was verified through public filings, Wikipedia, and commercial registries.

The Providers Analyzed

Plus 39 additional providers analyzed (8-463 blocks each): PotatoVPN, X-VPN, UrbanVPN, ZoogVPN, WLVPN, VPN Unlimited, ThunderVPN, HMA, TorGuard, TurboVPN, Hola VPN, AirVPN, SlickVPN, GhostPath, Browsec, Speedify, PrivateVPN, TikVPN, VyprVPN, AzireVPN, FastestVPN, VPN Lumos, VPNSecure, Anonine, BoxPN, EasyHideVPN, FrootVPN, CryptoStorm, OVPN, OctoVPN, Getflix, PrivadoVPN, SSHOcean, SecureVPN, PureVPN, AvastVPN.

Total: 6,429 unique /24 blocks across 50 providers. 1,723 of these (27%) are used by two or more providers.

Source: Netify VPN server database, April 2026. Parent company ownership from Wikipedia: Kape, Wikipedia: NordVPN, Wikipedia: IPVanish, and public filings.

Ownership Consolidation

Before examining hosting infrastructure, the provider list itself reveals consolidation. Of the 11 largest providers:

• Nord Security owns both NordVPN and Surfshark (merged 2022). Combined: 2,880 /24 blocks -- 54% of the dataset.
• Kape Technologies (Israel/UK) owns ExpressVPN, CyberGhost, and Private Internet Access. Combined: 663 blocks.
• Ziff Davis (USA) owns IPVanish.
• McAfee (USA) owns TunnelBear.
• Aura/Pango (USA) owns Hotspot Shield.

Five parent companies control 8 of the 11 "independent" VPN brands analyzed. Only Proton VPN, Mullvad, and Windscribe operate under independent ownership.

The Hosting Concentration

All 6,429 unique /24 blocks resolved via Team Cymru ASN DNS. 491 unique ASNs identified across 50 VPN providers:

Jurisdictional concentration (excluding VPN-owned infrastructure):

Source: Team Cymru IP-to-ASN DNS; Netify VPN database; ARIN/ RIPE WHOIS. Analysis date: April 6-7, 2026.

Cross-Provider Overlap

Across all 50 providers, 1,723 /24 blocks (27%) are shared by two or more VPN providers. 557 by 3+, 226 by 4+, 75 by 5+, 29 by 6+, 10 by 7+, and 2 blocks by 8 providers simultaneously. The top pairwise overlaps (from the 11 major providers):

The NordVPN-Surfshark overlap (106 blocks) and CyberGhost-PIA overlap (101 blocks) are expected -- these are sister companies under the same parent (Nord Security and Kape Technologies respectively). The cross-ownership overlaps (NordVPN-Proton: 73, NordVPN-Windscribe: 70, Surfshark-Proton: 54) indicate shared third-party hosting providers.

The most-shared blocks across all 50 providers:

The Concentration Problem

VPN providers market themselves as independent services operating in privacy-friendly jurisdictions. The infrastructure data tells a different story. Across 50 providers and 6,429 network blocks:

• 27% of /24 blocks (1,723 of 6,429) are shared by two or more VPN providers on the same hosting company's network.
• M247 hosts servers for 38 of 50 tracked providers. Datacamp/CDN77 hosts servers for 26 of 50. Combined, 41 of 50 providers use at least one of these two UK-headquartered companies.
• Every physical datacenter facility identified for M247 and Datacamp (156 total across 47 countries) is in a country with at least one documented intelligence sharing agreement.

The result is that providers who market different jurisdictions, different privacy policies, and different corporate structures converge on the same small group of hosting companies. Proton VPN (marketed as "Swiss privacy") shares /24 blocks with NordVPN (Panama), Surfshark (Panama), Mullvad (Sweden), Windscribe (Canada), and Hotspot Shield (USA) -- all on Datacamp and M247 infrastructure in the UK. A user who switches VPN providers for jurisdictional reasons may find their traffic exiting through the same datacenter facility regardless of which provider they choose -- and as documented below, that rack may not be in the country the VPN claims.

What the Data Shows

This analysis documents infrastructure concentration: a small number of hosting companies, in a small number of datacenter buildings, in a small number of jurisdictions, carry traffic for the majority of commercial VPN providers. This is a structural observation about how the industry is built, not an allegation that any provider or hosting company has been compromised.

Historical Context

Separately, Snowden-era documents (2013) revealed the NSA's Bullrun program and GCHQ's Edgehill program, both aimed at defeating VPN encryption. By 2010, GCHQ was unscrambling VPN traffic for 30 targets with a goal of 300. The disclosed methods included "industry relationships" and infrastructure compromise.

This investigation does not link the documented infrastructure concentration to those programs. It observes that the concentration creates the structural conditions where a small number of access points could cover a large fraction of global VPN traffic. Whether that concentration exists due to market economics (which adequately explains it) or for other reasons, the structural reality is the same.

Source: Bullrun/Edgehill: Wikipedia; ProPublica. M247 VPN hosting: m247global.com. Datacamp bare metal: datapacket.com.

The Building Owners

The hosting providers (M247, Datacamp) don't own the datacenter buildings. They rent rack space from datacenter operators. PeeringDB facility data for M247 (65 facilities) and Datacamp/CDN77 (91 facilities) reveals who owns the physical buildings where VPN traffic terminates:

Building ownership was determined from PeeringDB facility names (e.g., "Equinix DC1-DC15" or "Digital Realty Frankfurt FRA1-27"). Two US publicly traded real estate investment trusts -- Equinix (NYSE: EQIX) and Digital Realty (NYSE: DLR) -- own 48.7% of the datacenter facilities used by the VPN industry's two largest hosting providers. Both are US companies. As facility operators, they control physical access to the buildings, though colocation customers typically use locked cages or racks with their own access controls.

Equinix (NYSE: EQIX)

51 of 156 VPN-hosting facilities (32.7%). Top shareholders: Vanguard Group, BlackRock, State Street (93.8% institutional ownership). Equinix maintains a Government Advisory Board whose members include:

• Former CIO of the National Reconnaissance Office (NRO) -- the US intelligence community agency that designs, builds, and operates reconnaissance satellites
• Former CTO and Deputy CIO of NASA + CIO for Science and Technology at the Department of Homeland Security
• Former Director of Network Services and Deputy CIO at DISA (Defense Information Systems Agency) -- 30 years managing military/defense communications networks

Equinix acquired Terremark Federal Group, bringing in 33 employees with government security clearances. Equinix operates a Federal Government Solutions division with procurement contracts via Carahsoft.

Source: Equinix blog: Gov Advisory Board; Equinix board of directors; Yahoo Finance: EQIX holders

Digital Realty (NYSE: DLR)

25 of 156 VPN-hosting facilities (16.0%). Top shareholders: Vanguard Group (~15.5%), BlackRock, Cohen & Steers, Norges Bank (Norwegian sovereign wealth fund), State Street. Board member Kevin J. Kennedy (former Avaya CEO) was appointed by President Obama to the President's National Security Telecommunications Advisory Committee in 2010.

Source: Digital Realty board; Yahoo Finance: DLR holders; Wikipedia: Kevin J. Kennedy (NSTAC appointment confirmed)

Common Ownership

Vanguard Group, BlackRock, and State Street are top shareholders of both Equinix and Digital Realty. These are the three largest passive index fund managers in the world and hold major positions in most publicly traded companies. The common ownership is a structural feature of modern capital markets, not specific to the datacenter industry.

Source: PeeringDB: M247 (net/906) -- 65 facilities queried via API (netfac?net_id=906); PeeringDB: CDN77/Datacamp (net/10839) -- 91 facilities queried via API (netfac?net_id=10839). Building ownership attributed from facility names in PeeringDB records (e.g., facilities named "Equinix [code]" attributed to Equinix, Inc.).

Virtual Locations: Where Your Server Really Is

VPN providers advertise servers in dozens of countries. But the IP address's geolocation and the server's physical location are often different. Comparing IP geolocation data (ip-api.com) against ASN registration country (Team Cymru) for an evenly distributed sample of 200 blocks from the 6,429 total:

• 73% of blocks have a geolocation that does not match the ASN registration country.
• 30% of blocks registered in UK/US/DE/RO/NL geolocate to entirely different countries.

Examples from the data:

When a user connects to "VPN server in Nepal," the traffic may physically exit from a Datacamp server in a US or UK datacenter. The geolocation databases report Nepal because the IP range has been geolocated there -- but the hardware, the network, and the legal jurisdiction are in the hosting provider's actual country of operation. An XDA investigation independently confirmed this practice across multiple VPN providers.

This means the geographic diversity that VPN providers advertise (servers in "100+ countries") may overstate the actual physical footprint. A significant fraction of "global" VPN infrastructure physically resides in a smaller number of countries where the hosting providers operate datacenters.

Source: ip-api.com batch API; Team Cymru ASN DNS. 200-block sample from 6,429 unique blocks. XDA investigation independently confirmed virtual location practices. Analysis date: April 7, 2026.

Where the Infrastructure Physically Sits

ASN registration country does not determine where servers physically are -- M247 is registered in Romania but operates in 25+ countries; Datacamp is registered in the UK but has facilities in 40+ countries. PeeringDB facility data shows the actual datacenter locations where M247 and Datacamp (the two largest third-party VPN hosts) have physical equipment:

Of the 156 physical datacenter facilities used by M247 and Datacamp, 61 (39.1%) are in Five Eyes countries. The US alone accounts for 40 facilities (25.6%). Every facility country has at least one documented intelligence sharing agreement (MLAT, bilateral, alliance membership, or EU framework). For per-country surveillance law details, see the CodaMail Privacy Law Directory.

Source: PeeringDB facility data for M247 and CDN77/Datacamp; data sharing frameworks from CodaMail Privacy Law Directory. Analysis date: April 7, 2026.

Chokepoint Cities

Mapping the physical facilities of the five largest third-party VPN hosting providers (M247, Datacamp/CDN77, Clouvider, DigitalOcean, Vultr) via PeeringDB reveals 101 cities worldwide where VPN hosting infrastructure exists. Three cities host all five providers simultaneously:

In Dallas, 9 of 10 VPN hosting facilities are Equinix buildings. In Sydney, all 7 are Equinix. In Singapore, all 5 are Equinix. In London, 7 of 8 are Telehouse (KDDI, Japan). Traffic from dozens of VPN brands converges into the same small number of buildings in each city.

Source: PeeringDB facility API for M247, Datacamp, Clouvider, DigitalOcean, Vultr. Building ownership from facility names.

Notable Ownership Chains

The sections above document infrastructure concentration. The sections below examine three ownership chains that stood out during the investigation.

Kape Technologies: From Adware to VPN Empire

Kape Technologies owns three of the 11 major providers analyzed: ExpressVPN, CyberGhost, and Private Internet Access (combined: 663 /24 blocks). The ownership chain:

• Founded as Crossrider in 2011 (Israel). Crossrider built a browser extension platform used for ad injection. In 2015, A 2015 Google/UC Berkeley study identified Crossrider as controlling 42-44% of the ad-injection market. Malwarebytes classifies Crossrider as adware.
• Acquired by Teddy Sagi in 2012 (~$37M). Sagi is an Israeli billionaire who was convicted in 1996 of bribery, securities fraud, and stock manipulation and served prison time. He subsequently founded Playtech (online gambling software) and built a ~$5B fortune. Sagi is linked to 16 offshore companies in the ICIJ Panama Papers database.
• IPO on London AIM in 2014 ($75M raised, $250M valuation).
• Rebranded to Kape Technologies in 2018. CEO stated the name change was to escape "strong association to the past activities of the company."
• Acquisitions: CyberGhost ($9.8M, 2017), PIA ($95.5M, 2019), ExpressVPN ($936M, 2021), ZenMate (2021). Also acquired several VPN review websites.
• Taken private in 2023 by Unikmind Holdings (Teddy Sagi's holding company) at ~$1.51B valuation. Financial reporting is no longer public.

Source: Wikipedia: Kape Technologies; Wikipedia: Teddy Sagi; CyberInsider: Kape/Crossrider; CyberInsider: Kape VPN acquisitions

WLVPN: White-Label Infrastructure

WLVPN is a white-label VPN service that provides infrastructure for other companies to resell under their own brand. The ownership chain:

• Highwinds Network Group (Florida) created IPVanish and operated WLVPN.
• StackPath acquired Highwinds in 2017, gaining IPVanish, StrongVPN, and WLVPN.
• j2 Global (now Ziff Davis, NYSE: ZD) acquired IPVanish/StrongVPN/Encrypt.me from StackPath in 2019 via its NetProtect division.
• StackPath liquidated in 2024. Ziff Davis/NetProtect fully absorbed remaining VPN assets.

WLVPN's infrastructure powers VPN services for 100+ businesses including StrongVPN, OverPlay VPN, Encrypt.me, and VPNhub (Pornhub's VPN). Ziff Davis also owns IGN, PCMag, Mashable, and other tech media properties that review VPN products.

Source: Wikipedia: IPVanish; VPNpro: 105 VPNs, 24 companies; Top10VPN: NetProtect acquisitions

Free VPN Cluster: Chinese Military-Linked Ownership

Five free VPN apps in our dataset (PotatoVPN, X-VPN, ThunderVPN, TurboVPN, UrbanVPN) share infrastructure heavily concentrated on OVH and Scaleway (French hosting). The ownership chain for the largest of these traces to Chinese state-affiliated entities:

• TurboVPN is developed by Innovative Connecting Pte. Ltd. (Singapore). Director: Danian "Danny" Chen, a Chinese national listed among Forbes' most influential young Chinese leaders and the 400 richest Chinese. Chen is founder/CEO of Linksure, which is the shareholder of Innovative Connecting.
• Innovative Connecting's corporate shareholder is Lemon Seed Technology Ltd. (Cayman Islands).
• Chinese cybersecurity firm Qihoo 360 disclosed in a 2019 annual report that it acquired Lemon Seed and two related companies (Lemon Clove, Autumn Breeze). In 2020, the US Commerce Department sanctioned Qihoo 360 on national security grounds. In 2022, the US Department of Defense added Qihoo 360 to its list of "Chinese military companies" operating in the US. Qihoo 360's customers have included China's People's Liberation Army and at least eight Chinese government ministries (per state-run China Daily, 2015).
• The same corporate directors appear across Innovative Connecting (TurboVPN), Autumn Breeze (Snap VPN), and Lemon Clove (VPN Robot). Recent filings (March 2025) list Chen Ningyi -- identified as a former Qihoo 360 general manager -- as director of all four entities.
• X-VPN is operated by Free Connected Ltd. (Hong Kong).

These apps have been downloaded over 86 million times across iOS and Android. A Top10VPN investigation documented the secretive Chinese ownership structure. A separate Comparitech investigation traced China and Russia-linked VPNs on major app stores.

Source: Top10VPN: Chinese ownership investigation; Security Affairs: Chinese VPN companies; Malwarebytes: Chinese military-linked VPNs

The Takeaway

At the infrastructure level, most commercial VPN services are not independent of each other. Brand competition happens at the marketing layer -- different names, different privacy policies, different jurisdictional claims. At the network layer, traffic from dozens of "competing" providers converges on the same hosting companies, in the same datacenter buildings, in the same cities. The data does not show that this infrastructure is compromised. It shows that the diversity VPN users believe they are purchasing largely does not exist below the application layer.

Ongoing Investigation

This document will be updated as research continues. The X4BNet VPN IP database tracks 10,793 CIDR ranges across VPN providers (auto-updated via GitHub Actions) and may be incorporated in future analysis.