Kape Technologies is a growing player in the VPN industry and now owns four VPN providers. Given this entity’s prominence in the privacy/security space, we felt the need to closely examine its history, past business activities, and involvement in the ad injection industry.
When you use a VPN service, you are putting a lot of trust in the VPN itself and the people running it. You trust that they are properly encrypting your traffic, securing their server network, infrastructure, and apps, and also not doing anything shady in the background. In a sense, you are choosing to trust a VPN service with your traffic instead of your internet service provider (ISP), which will not be able to see any activity with all traffic being encrypted through the VPN.
And while there are verified no logs VPN services that have been audited or passed real-world tests, there have also been a handful of VPNs that have given up logs to various entities. Additionally, we have seen security breaches, such as the recent WindScribe security incident where servers were left fully unencrypted — a fact that came to light only after their servers were seized by Ukrainian authorities. Needless to say, finding a VPN you can trust is crucial.
Note: And for anyone foolishly claiming that an ISP deserves your trust and is not tracking all your online activities, read this first. (Everyone needs a good VPN for basic digital privacy when ISPs collect everything.)
Now let’s take a closer look at Kape Technologies.
Numerous publications discussing Crossrider and malware
Over the past few years, we have frequently connected Kape Technologies (formerly Crossrider) with malware distribution. Why did we do this? Well, there are numerous outlets and security experts that discussed the problems and removal techniques of Crossrider malware and adware.
Here are just three examples of this:
- this 2018 article from Malwarebytes
- this article from Symantec
- this 2019 article from Security Boulevard
Based on this information and other sources, we previously assumed that Crossrider was the creator of this malware. However, it’s important to get the details exactly right, so let’s dig deeper.
Crossrider created a development platform for browser extensions
Crossrider was founded all the way back in 2011, when there was no native extension interoperability between browsers. This meant that development for browsers was more time-consuming. Crossrider developed a platform to address this exact issue, as TechCrunch noted in a 2012 article:
Crossrider, which is coming out of beta today, aims to make things a bit easier for developers. The service offers a cross-platform development platform for Chrome, Firefox, Internet Explorer and Safari.
Developers who want to use the service, which is available for free, only have to write their code once and can then deploy their extensions across the supported browsers.
We also see developers praising Crossrider as a tool for developing browser extensions. Here are a few quotes:
Crossrider is, in layman terms, a wrapper around your JavaScript code with a consistent set of API methods.
–Amaslo.com
Crossrider also makes it easy to publish to chrome store as well and provides an easy way to sign your extension for executable downloads on windows.
–StackOverflow
Crossrider created monetization options that were used by ad injectors
Longtime readers of RestorePrivacy know that advertising and data collection go hand in hand, along with the abuse of privacy. And while it is true that Crossrider created a development platform, we must also point out that Crossrider offered monetization options that were used by major ad injectors.
What is an ad injector exactly?
A Forbes article from 2015 discussed the topic in more detail, where they noted the following:
[Ad injection] effectively intercepts users’ traffic to inject content, namely, those irritating adverts and popups that seem to come from nowhere. Media rightly jumped on the report, highlighting the companies named as the top ad injectors. What went unnoticed, until now, is that most of the searchable organisations involved in this potentially dangerous business are based in Israel. They also happen to have links to the nation’s military and its top signals intelligence agency, the Israeli equivalent of the NSA or GCHQ: Unit 8200, which works out of the Israel Defense Forces (IDF).
The report that Forbes noted above is this 2015 research paper that was co-authored by UC Berkeley, Google, and a handful of other organizations and individuals. The paper describes the ad injection industry as follows:
Today, web injection manifests in many forms, but fundamentally occurs when malicious and unwanted actors tamper directly with browser sessions for their own profit. In this work we illuminate the scope and negative impact of one of these forms, ad injection, in which users have ads imposed on them in addition to, or different from, those that websites originally sent them.
The research paper also describes Crossrider involvement in this industry:
Crossrider is a mobile, desktop, and extension development platform that enables drop-in monetization via major ad injectors. Crossrider provides its affiliate ID to ad injectors while separately tracking kick-backs to developers. The other top affiliates listed in Table III are all cross-browser extensions and plugins that impact Chrome, Firefox, and Internet Explorer.
We can see Table III from the research paper below. In it, we find that Crossrider listed as a “Top Affiliate” with different Ad Injection Libraries.
The exact relationship between the ad injectors and affiliates is complex.
In the context of Crossrider, it was the underlying tool that developers used to create extensions, rather than the owner of the extension itself or the monetization platform responsible for the ads.
Legitimate (non-malicious) apps were also made with Crossrider
While Crossrider did offer monetization options that were used by ad injectors, we should also point out that Crossrider’s platform was also used for legitimate (non-invasive) purposes.
You can see this with the FC Barcelona official fan app, which was attributed to “Crossrider Advanced Technologies Ltd.”
Additionally, we see CNet and The Next Web writing about an app called Chat Undetected, which was also attributed to Crossrider.
Now let’s examine how the Crossrider platform was also used for not-so-good activities.
Various third parties used Crossrider’s platform for bad practices (malware)
While Crossrider created tools for software developers and ad injectors, these tools were also useful to bad actors.
We see a few examples of this on herdProtect, a malware scanning platform:
- mySupermarket Companion (flagged as malware) – “It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider.”
- I Want This (flagged as adware) – “Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application.”
We also see Brian Krebs, the renowned cybersecurity expert, further clarifying how the Crossrider platform was being used by third parties for malicious endeavors:
- “Last week, I wrote about LilyJade, a new computer worm that was spreading across Facebook accounts by abusing the free services offered by Crossrider, a platform that makes it simple to develop browser extensions that work seamlessly across browsers and operating systems.” (KrebsOnSecurity.com)
- “The purpose of this post is not to cause alarm about legitimate development platforms like Crossrider and Kango, or even to dissuade people from using Facebook. It’s also true that rogue browser plugins are hardly a new problem.” (KrebsOnSecurity.com)
A Crossrider employee also explained on StackOverflow how the company’s tools were being exploited by bad actors:
We had some incidents in the past where developers had tried to write malicious extensions using our framework, but with our security co-operations with Google and Facebook we managed to mitigate them.
Following the news about Kape buying Private Internet Access, Andrew Lee, the PIA co-founder, explained Crossrider’s business on a HackerNews thread as follows:
To be clear, in the past the company was known as CrossRider and provided a developer SDK that could be used to integrate with browsers. Unfortunately, CrossRider didn’t do enough to prevent malware (like platforms these days and their fake news) and the platform was used by some bad people for bad purposes.
Kape was never directly involved in adware other than providing SDKs that let developers create positive and negative things.
Crossrider shuts down the platform and rebrands the business
In September 2016, Crossrider officially announced it was shutting down entirely, as you can see in this official tweet. Crossrider provided RestorePrivacy with further clarification about their decision to shut down operations in 2016:
The team saw that abuse of the platform was not showing signs of slowing down, and the very openness and flexibility that made the platform useful for developers also made it difficult to effectively combat abuse.
The following year, in 2017, we see that the business pivoted to an entirely different niche: online privacy and security. The purchase of CyberGhost in 2017 kicked off this strategy, followed by a name change to Kape Technologies shortly thereafter.
Additionally, we learned that Crossrider had a major personnel change to refresh the business with new leadership. The Crossrider co-founders, CEO Koby Menachemi and CTO Shmueli Ahdut, left the company, along with most of the original Crossrider team and its entire C-suite of executives.
Today, Kape is led by CEO Ido Ehrlichman, who was not part of Crossrider’s original team. Kape is a global company that is headquartered in London and publicly traded on the London Stock Exchange.
Kape’s statement to RestorePrivacy
In our research for this article, Kape provided us with a statement to further clarify the past events and explain their reasoning to change their business strategy:
The Crossrider SDK and development platform was used by tens of thousands of independent developers to create cross-browser extensions, and unfortunately a small number of bad actors misused the platform to develop adware and malware. The team at the time attempted to combat the problem, including as a participant and supporter of the Clean Software Alliance, but ultimately decided to shut down Crossrider altogether in 2016 in the face of rising abuse.
Due to how the Crossrider platform worked, extensions by developers using the platform typically appeared linked to Crossrider in one way or another. This had the unfortunate effect of some of these extensions being incorrectly attributed to Crossrider itself, including by automated adware and malware scanning and removal tools. And while Crossrider itself didn’t exist anymore after 2016, developers who had developed or compiled their app using Crossrider prior to its shutdown were able to continue distributing their own apps by themselves.
Kape is now a leading privacy-first digital security software provider, with a fully refreshed team led by new CEO Ido Erlichman and informed by having identified a market need for privacy solutions to protect users’ data.
Conclusion: Why this is important
For years, we have been discussing Kape under the assumption that it was responsible for the malware being associated with Crossrider. The full story, however, is more nuanced.
For starters, it is clear that Crossrider provided a platform that was used by ad injectors.
However, it also appears that Crossrider’s development platform was used by third parties to spread malware, and Crossrider was not responsible for this.
Getting the details correct is important because it helps people decide whether or not to trust a business that offers privacy tools. And with trust being a huge consideration, it’s important to focus on verifiable facts.
Given everything we learned in our research, we can conclude that:
- Crossrider created a development platform, which was used for many different purposes (both good and bad).
- Crossrider offered monetization options with its platform and was used by major ad injectors.
- Third parties also used Crossrider’s platform for malware distribution, but Crossrider was not the owner or creator of that malware.
- Crossrider completely shut down the program in 2016, changed out the company’s leadership, and pivoted to the privacy and security niche.
- In 2018, Crossrider changed its name to Kape Technologies.
Now that Kape is a big player in the VPN industry, hopefully this article can help people who are considering whether or not to use Kape’s products. These products now include ExpressVPN, Private Internet Access, CyberGhost, and ZenMate VPN.
Thanks Editor for this excellent in dept analysis on Kape Technologies. Looking back at beginning of Kape, they have involved in numerous UNETHICAL yet SO CALLED LEGITIMATE activities and even WORST is PROVIDING digital intelligence for GOVERNMENT and WORKING for GOVERNMENT. Then, the shareholders of Kape decided to restructure its entire business practices and activities. There are noticeable optimistic changes but there are still noticeable things which are DUBIOUS and SCEPTICAL. From a dissapointed and frustrasted long time consumer of ExpressVPN consumer like myself, here are my humble opinion on this matter and may be a worthwhile reading.
FIRST, as a legitimate business entity and listed in London Stock Exchange like Kape Technologies, they will ABIDE THE RULE OF LAW especially in terms of thorough AUDIT (every profit from every source, must report) and MUST WILLING TO GIVE IN ANYTHING FOR NATIONAL SECURITY SAKE in the country Kape headquartered which is UNITED KINGDOM. This show it is THE FIRST IN HISTORY of a VPN provider listed in a reputed stock exchange which require integrity and transparency of every aspect to be report to government and to public. THIS CLEARLY SHOW KAPE PRIORITIZE PROFIT ABOVE ANYTHING AS THEY OWN NUMBERS OF VPN BUSINESSES AND THEY LISTED IN STOCK EXCHANGE AND THEY WILLING TO GIVE IN ANYTHING FOR PROFIT AS BEING LAW ABIDING BUSINESS ENTITY. PRIVACY IS JUST FOR MARKETING. MARKETING FOR SALES. SALES FOR PROFIT.
SECOND, Kape and ExpressVPN key people and management team EMPLOY NUMBERS OF GOVERMENT ASSOCIATES AND CRONIES from UNITED STATES, UNITED KINGDOM AND ISRAEL. One NOTICEABLE example in the ‘GOVERNMENT LINKED PERSON’ list example is ExpressVPN CIO’s Daniel Gericke.
THIRD, ACTIVIST, WHISTLEBLOWER and EX-CIA ENGINEER Edward Snowden advises ‘you should not be an ExpressVPN customer now’.
In conclusion, everyone now have WITNESS REAL FACT AND SITUATION of what Kape Technologies and ExpressVPN now. Im happy to quote from our esteemed Editor, ‘you are putting a lot of trust in the VPN itself and the people running it’. Thank you dear Editor and everyone.
TLDR. Why was the post by Motoko Kusanagi approved? He’s also shouting? C’mon Sven.
Hi KM and distinguished readers. Im sorry if made any mistake and i was not shouting. I know its long but it is worthwhile reading. Im a long time consumer of ExpressVPN and now im very dissapointed and frustrated with recent unfortunate event. ExpressVPN is good by product and services itself but with recent unfortunate event has raised a lot of question and scepticism. This is my humble expression i would like to share with like minded community for us to make better decision and understanding in subscribing a VPN service with our hard earned money.
Hi Sven, great website. RP is one of the 3 website I have bookmarked and I visit it nearly daily for new articles and new comments on the older articles.
What are the other 2 websites you visit if you don’t mind me asking?
Even with all this info, I still don’t trust Kape or their VPN services that they own. I would rather put my trust a smaller independent company for a VPN service than a large company like Kape who owns several VPN’s. Thankfully, there are several good VPN services out there that are still independent and not owned by a large company. Hopefully that won’t change anytime soon.
“And for anyone foolishly claiming that an ISP deserves your trust and is not tracking all your online activities, read this first. ”
Which is a big reason why I think comparing VPNs and TOR is like comparing apples and oranges. TOR is primarily a tool for web browsing, while VPNs are essentially a replacement for your ISP. That said, TOR isn’t completely worthless even though it is at least partially compromised by the US government. However, using TOR directly without going through a good VPN first is very foolish because it is better for your ISP to see your VPN instead of TOR.
There is another food for thought here, for privacy conscious people: if 90% of your online activities goes through your browser, or, say, through the encrypted messenger, then why do you need system-wide VPN? That means a good browser is most important. As is a good privacy mail client. If we agree that VPN is not the magic bullet anyway, you simply can’t defeat surveillance. So, keep it simple and protect what is essential.
Hi Bronco and RP Community,
Do you know much about browser finger printing?
Restorer posted some links to the finger printing test websites in the RP finger printing article comments. I have been testing my browsers against them and posting my results.
If you have an interest in good browsers you may have something to contribute?
Regards,
BoBeX
Hi BoBeX
I think a good browser is the vital part of all the privacy tools to keep your data “yours”, as much as possible. I’ve checked quite a few. Just a few months back, for example, only one or two privacy browsers could pass the test in nothingprivate.ml. On mobile, SnowHaze was the ONLY browser that did the trick successfully. Brave couldn’t, Firefox couldn’t. Now many others can do it. Which is great, you can finally choose the right one for you. My criteria for a good browser is that it should be efficient in ad blocking and trackers. And that means: no mercy for ads, if there’s no ability or customization in a browser to stop these things, or to block certain Java scripts – it’s not good enough. Turns out browsers that are good in this are very strong in anti fingerprint as well.
“leadership of Kape is still scummy”
AGREED.
This is an obvious puff piece, probably by Kape themselves, designed to exonerate rather than inform the public of their scum networks hidden in the background.
I can assure you, Flanders, that Kape did not write this article.
Hi RP Community,
I have read many, many articles produced by RP, I have found them educational and informative.
What I find most outstanding about this site is the integrity of the publisher; this is an article which informs a view that is contrary to previous published views. It is commendable to the RP publishers that they have taken this action when they believe the understood facts need to be re-established and discussed.
Most publishers shy at making and informing of corrections, this site is up front about the facts and new information about those facts.
I also admire this site for posting views that are contrary to the views of the authors; again this demonstrates integrity.
Regards,
BoBeX
Thanks BoBeX
The Kape provided parts read like something Facebook would come up with and Facebook is global malware. There’s far more to the Kape story than this, which sidesteps the Express CIO/spy and exiled owner issues, although the CIO debacle was covered here a month or so ago. Is he still there?
In some industries acquisitions are allowed to operate as they see fit as long as they send the figurative annual check to corporate. In so called Tech, this is rarely the case (Instagram, WhatsApp etc.), acquisitions are regularly compromised in major ways by corporate or disappear completely.
The future of agglomerated VPN companies (honestly, none of these companies have ever inspired trust in me at all) isn’t great. But, Kape deserves watching; if regular NEW independent audits show their VPN’s to be equivalent to the very few real VPN’s, good for them. Not holding my breath and in my case I’d never use any of them Kape or not. I used PIA and Express for a while.
Thank you for this new article as clear as water. Always good to have your expert opinion on those things and I did not expect this company to rise in my esteem.
I take this new article to ask you something new…
I read all of your secure cloud articles and ended up choosing a solution that, i think, is not listed on your site.
Could you tell us about the seriousness of Boxcryptor and Cryptomator associated with big clouds like Google Drive?
They allow end-to-end encryption with zero knowledge coupled with the speed and stability of these big clouds, but I wonder what you think of these solutions.
Best regards,
Hi Sven,
Great article.
It is commendable that you put so much effort it t setting the ledger straight.
I do wonder why Crossrider didn’t contact Symantec and Malwarebytes at the time and offer an objection and get the details corrected.
As said in previous comments, a vpn company has no business owning a vpn review site.
Regards,
BoBeX
A couple of canned statements and corporate face changes does not convince me at all that they are to be trusted in any respect. The fact they have acquired VPN review sites and are hoarding VPN providers is still a huge red flag.
The most scummy part of Kape is that they own VPN “review” sites bought for millions of dollars, and those sites list Kape´s own VPN companies as the best ones without telling readers that they are all have the same parent company, the review site and the product they recommend.
As we showed in this article, there is an ownership disclosure at the top of the site, but you have to click it to see the disclosure.
Kape has to right to tell their side of the story and I have a right to discard it. All of this being said, the fact that Express CXOs got caught hacking journalists for the Arabs, and then paid millions in fines to the US feds, doesn’t exactly raise my confidence in them. Plus the fact that they sold of Express to Kape literally in the middle of this clusterf*ck.
Sorry, but I’m happy with Proton and I’ll stick to it. Might get Nord for backup.
I’ve decided not to completely trust any one VPN with my traffic. Instead, I have selected two different VPN providers, both with DHE and RAM disks. Vpn1 is installed on my router, vpn2 is installed on all of my devices. This is the only way to achieve privacy. Believe it or not, depending on which vpns you select, there is no appreciable performance hit.
Get smart, get a fast router and two vpns.
I agree this is the best setup. And it distributes trust.
I’ve been contemplating doing this too. But I read installing VPN at the router level reduces speeds by half immediately. Is this true?
There are many factors, but most consumer-grade routers are not super fast with VPNs. The big exceptions to this are the Vilfo router and a few of the newer high-end Asus routers.
This is super safe. Another and easier way is to use VPN1 app for the system and VPN2 in-browser add-on.
“Kape is a global company that is headquartered in London and publicly traded on the London Stock Exchange.”
This sentence alone should convince everyone to avoid their acquired VPN services. Britain is every bit as bad as the U.S. in disregarding people’s privacy, and work directly with the U.S. in that regard. Their acquired VPNs may not be based in Britain, but their parent company is, which must comply with their laws.
That’s not how VPN jurisdictions work. The company HQ and the VPN HQ are not the same thing. Like NordVPN that’s entirely based in Vilnius but HQed in Panama. Also, the US and the UK have like, lots of consumer protections in digital privacy, typically moreso than many European countries.
Might not be the same thing, but in a way it matters a lot. You can run a worldwide toy company HQ’d in Panama but if the toy company’s parent company and board of directors are all based in Michigan, it’s very easy for the feds to f*ck thing up for you. The Panama jurisdiction can becoming meaningless if the parent company itself is a shi*show.
I don’t disagree with you but its also not relevant to the original point. The VPN brands of a parent company operate on their own jurisdictions, not the parent company’s.
“lots of consumer protections in digital privacy”
The laws on the books are frankly irrelevant considering the fact that both the US government and US corporations have shown that they are willing to violate your privacy whenever it is convenient for them to do so..
The leadership of Kape is still scummy, and their actions (of buying and consolidating VPNs and fudging reviews by buying review sites) speak louder than their canned statements. Kape can get bent.
I fully agree with you. They have proven that they are/still shady and people must avoid their services/products.
Considering Kape’s and its owner’s background, I would definitely take their statements with a pinch of a salt. There are more better and more secure options anyway.
Another excellent article by Sven. Enjoyed reading this. RIP ExpressVPN.
They might not be directly involved on the malware part, but the strategy of buying multiple VPN services over the years, and also buying VPN review portals to promote their VPNs, surely raises concerns.
Not just that but private internet access had a notoriously scummy ceo. Making that the first stop on their acquisition tour really cemented their untrustworthy reputation. I was getting ready to switch to expressvpn when I heard kape had acquired them. Now you couldn’t pay me to use it.
Sorry, this is unrelated to this post, but could you please review Adguard VPN, Sven?
We’re so behind on getting existing content updated, while also covering news items like this, that doing brand new reviews of other services (whether it’s email, cloud storage, VPN, messengers, etc.) are completely on hold, and this likely won’t change anytime soon.