Originally published on May 29, 2019, last updated on July 5, 2019
This article is periodically updated to reflect the TorGuard lawsuit against NordVPN and ongoing developments, which are posted at the bottom.
- Update 1: TorGuard amends lawsuit after erroneously naming the wrong party
- Update 2: TorGuard files another complaint, tweets more allegations
In an interesting turn of affairs, TorGuard recently announced on Twitter that it is suing NordVPN and a Canadian web hosting provider, C-Seven Media, Inc.
We have a full copy of the lawsuit that was filed in a Florida district court, which you can read here.
Why is a US VPN service in Florida (TorGuard) suing a VPN service based in Panama (NordVPN) and a Canadian web hosting provider (C-7)?
Buckle up, because this is about to get interesting!
First we’ll examine the events leading up to the lawsuit and then we’ll take a close look at the lawsuit and the specific allegations.
May 20, 2019: TorGuard alleges it was “blackmailed” by another VPN
On May 20, 2019, TorGuard published an interesting blog post where they allege the following events took place:
- An “unknown individual showed up uninvited at a staff member’s personal residence asking to speak about the VPN industry.” The TorGuard employee also received emails on a personal account from this “unknown individual” from a competing VPN service.
- During the conversation, the individual asked for a “gentleman’s agreement” to persuade a TorGuard affiliate by the name of “Tom Spark reviews” to “remove negative content from YouTube” he had published about the competing VPN service.
- Then the individual revealed he had “damaging information” about TorGuard regarding a security flaw, which would “be released” if TorGuard did not agree to the demands.
- TorGuard acknowledged the flaw, but stated the server “had not been used for installs” since January 2018 and claimed there was “no security risk” to their users.
- TorGuard then investigated the issue, which led them to believe a web hosting company was involved, and promised “pending legal action.”
In the blog post, TorGuard does not name NordVPN or the hosting company involved, but the title of the post alleges that this was an attempt at “blackmail”. Four days later, TorGuard filed the lawsuit.
May 24, 2019: TorGuard Sues NordVPN and C-7 Hosting
Just four days after the alleged “blackmail” incident, TorGuard filed a lawsuit in an Orlando, Florida (USA) district court against NordVPN and C-7 web hosting.
Here are ten important details from the lawsuit (TLDR):
- TorGuard (Data Protection Services, LLC based in Florida) is suing NordVPN (Tefincom S.A. based in Panama) and C-7 (C-Seven Media, Inc. based in Canada).
- The lawsuit opens with an attack on NordVPN for “misleading” advertising and “dishonestly” leasing IP addresses from ARIN (even though these things have nothing to do with the allegations at hand).
- TorGuard claims that NordVPN has “threatened TorGuard” with previous legal action from “General Counsel Legal Affiairs Tefincom S.A.”
- TorGuard then claims that NordVPN “orchestrated strategically timed” DDOS attacks against TorGuard’s website on Black Friday, which resulted in “significant economic and reputation damages.”
- TorGuard is seeking injunctive and equitable relief, damages “in excess of $75,000”, recovery of all profits that were lost, all legal fees associated with the case, “exemplary damages” in the amount of “twice the actual losses” incurred, and “additional relief” that the Court decides is “fair and equitable.”
- TorGuard alleges that C-7 is “affiliated with or controlled by NordVPN” and that C-7 solicited a “purchase offer” on behalf of NordVPN.
- In 2018, TorGuard contracted with C-7, which is how C-7 had access to TorGuard’s “confidential and trade secret information.”
- TorGuard alleges that this “confidential and trade secret information” was then provided to NordVPN, which was the subject of the alleged “blackmail” attempt on May 17, 2019 concerning security flaws.
- In the lawsuit, TorGuard states that NordVPN requested a “gentleman’s agreement” whereby NordVPN would not publish TorGuard’s security flaws if TorGuard could get one of their affiliates [Tom Spark reviews] to remove YouTube videos that were critical of NordVPN.
- TorGuard is demanding a jury trial and alleges that the defendants (NordVPN and C-7) violated Florida’s Computer Abuse and Data Recover Act (“CADRA”), the Florida Uniform Trade Secrets Act (“FUTSA”) and also “Tortious Interference” with regard to TorGuard’s business relationships.
Now that we’ve covered the main points of the twelve-page lawsuit, let’s examine a few more questions.
Is TorGuard throwing mud? Is the lawsuit legit?
The VPN industry is very competitive and there is a lot at stake. That might be the biggest factor in explaining all this drama we’ve seen lately, with different VPN providers openly attacking each other in various venues (online and in court).
It seems clear that TorGuard has taken a hit due to various DDOS attacks, but the lawsuit does not appear to have any smoking gun evidence linking this to NordVPN.
Another big question is whether this Orlando, Florida court has legitimate jurisdiction to hear a case against NordVPN, which is based in Panama, and C-7, which is based in Canada. Neither of these businesses has a physical presence in Florida, so perhaps the lawsuit will simply be thrown out.
NordVPN’s official reply
NordVPN has provided Restore Privacy with an official statement, hot off the press on May 29, 2019:
We are aware of the lawsuit, although it is rather difficult to take it seriously. All accusations are entirely made up. TorGuard (although probably by mistake) even filed a lawsuit against some Canadian web design company which we never heard about.
We received information that led us to finding TorGuard server configuration file available on the internet. We then noticed that one of their servers was left completely unprotected and publicly accessible for anyone. It contained private keys, scripts, and a number of other extremely sensitive information, which if misused, could have caused TorGuard and their customers some serious harm.
We disclosed the vulnerability to them with the best intentions. It is a normal practice and just the right thing to do, but they decided to file a lawsuit for blackmail. We didn’t even want to make it public.
We are very much looking forward to the following process. Also, now we have no choice but to take countermeasures.
You can also find our blog post about this case right here: https://nordvpn.com/blog/torguard-lawsuit/
NordVPN’s blog post response also makes some interesting claims.
It all started when we received information that led us to finding a TorGuard server configuration file lying in the open on the internet.
The file revealed how the TorGuard service was configured, displayed private keys, and contained a bunch of other infrastructural IP addresses, including the IPs of their authentication servers and similar assets. Because the file could have been part of some outdated legacy system, we decided to verify whether it was actually an issue by trying to access some of the IPs through a regular browser.
To our surprise, we saw that one of the servers was left completely unprotected. Anyone could have accessed it by simply entering the server’s IP into the address field of their browser. The server contained a number of scripts and other sensitive information. In the wrong hands, this information could have easily been misused, possibly causing major damage to TorGuard and their customers.
The post then explains how NordVPN communicated the security problem to TorGuard’s CTO Keith Murray and TorGuard CEO Benjamin Van Pelt “without asking for anything in return” – i.e. no “blackmail” attempts. NordVPN also alleges that TorGuard may have been involved in a “defamation campaign” targeting NordVPN.
Finally, NordVPN denies the other allegations of DDOSing and unauthorized access, which they claim are “fabricated” by TorGuard.
NordVPN concludes the post by stating their intent to counter-sue:
We will immediately move to dismiss TorGuard’s libelous lawsuit, but as long as we’re on the topic: filing false and malicious lawsuits and publishing false and misleading information is against the law. Therefore, we are filing a suit of our own on the grounds of defamation and libel.
We’ll closely watch how this all plays out and update this article accordingly.
TorGuard’s second time being accused of security flaws?
For the record, this is also not the first time that TorGuard has been publicly accused of security flaws.
In 2015, VPN.ac, a VPN provider based in Romania, published an article detailing how TorGuard copied VPN.ac’s browser extension design, used VPN.ac’s API, and also implemented their browser proxy service insecurely.
As VPN.ac explained in the blog post:
It’s not only the design that’s similar, but they also use the same geo-location API server address (highlighted in the comparison image above). This is our own geo-IP API server that we’re using internally (for software, extensions etc.).
Fyi, using someone else’s API servers, as a VPN service, is a very irresponsible mistake – just terrible from a security & privacy point of view. What they do by using someone else’s servers such as our API service, essentially, is to expose all their Chrome Proxy users’ IPs to a competitor. We don’t interfere with the queries in any way, but you should be aware that a malicious competing service could make use of such opportunity to log IPs of users or even worse, redirect them or forge the JSON replies to mess-up with the extension functionality: e.g. trolling scenario where connected location will display “Fort Meade, Maryland” regardless of real gateway IP location.
VPN.ac listed other security flaws as well:
- Torguard stores the credentials in clear-text; we are XORing the pass to protect it against spyware that will search all over the place for clear-text credentials;
To reproduce: add some credentials and save them > right click on extension > Inspect popup > Resources > Local Storage - Torguard gets the up-to-date list of proxy gateways over HTTP (again in clear-text); we get them over HTTPS (A+ on Qualys/mirrored results): from Torguard’s background.js, from our background.js;
The obvious risk of providing server IPs over HTTP is that they can be easily hijacked in a MitM attack; - Torguard’s HTTPS proxy is highly insecure: uses insecure ciphers like RC4, supports SSL 3, is vulnerable to POODLE attack, doesn’t provide Forward Secrecy. Gets a shameful Grade C on Qualys test. Result mirror 1, mirror 2 (to see the original result). And this is our result/mirror (FS enabled, no weak ciphers, support only for TLS 1.1 and 1.2);
Now returning to the TorGuard and NordVPN lawsuit.
Conclusion on the TorGuard and NordVPN lawsuit
Time will tell how this all plays out.
While TorGuard has previously been in the news for security flaws, NordVPN was also in the news last summer for another lawsuit involving Hola VPN.
At the end of the day, it’s a shame that VPN in-fighting is getting dragged out in such a prominent and open manner. Not only does it hurt the VPN services involved, but it also damages the credibility of the entire industry.
I’ll keep this article updated as information becomes available.
Update 1: TorGuard erroneously names the wrong party in the lawsuit
In a surprising failure of due diligence, TorGuard has officially named the wrong party in their lawsuit.
As reported by the Orlando Sentinel:
An Orlando tech company on Thursday amended a federal lawsuit because it apparently named the wrong Toronto-based defendant in the initial filing.
TorGuard, which offers clients virtual private networks, or VPNs, had accused a company called C-7 of obtaining its trade secrets illegally and then using that information in a blackmail scheme.
However, when attorneys for C-7 reached out to TorGuard’s legal team to learn more, they discovered that TorGuard had incorrectly named their company in the suit.
The amended filing now names Collective 7 Inc., also located in Toronto, as the defendant.
Oops!
Looks like someone failed to do the necessary due diligence before filing a major lawsuit in district court.
Update 2: TorGuard files a complaint and tweets allegations
On June 26, 2019, TorGuard filed a complaint before the Middle District Court of Florida Orlando Division. I read through the entire complaint and it does not offer any new evidence or developments. Instead, it’s just a re-hash of what the original lawsuit already covered, which we discussed above.
TorGuard announced this update via their Twitter handle. In addition to tweeting about the complaint, TorGuard also posted a screenshot that appears to be part of an exchange that took place on a messaging platform.
"However much you deny the truth, the truth goes on existing." – George Orwell pic.twitter.com/tKRvLFtJFE
— TorGuard (@TorGuard) June 27, 2019
I’m hesitant to draw any conclusions here, since this is a small snippet of a conversation, but it does seem to suggest that NordVPN was requesting certain content be taken down. Is this “proof of blackmail”? Who knows. We’ll see how it all plays out in court.
Last updated on July 5, 2019.
I used TG for almost three years & always liked their services until they suspended my account with no warning. It was eventually re-activated after almost a week. After that, I decided to give NordVPN a try due to their 3 year pricing incentive and have been a happy customer since. I find Nord’s speeds and connection time much faster than TG.
> “proof of blackmail”? Who knows.
Hi Sven, how about proof of censorship? Does it trouble anyone else that NordVPN wants to censor some small time Youtuber’s videos? I find that disgusting behavior for a VPN company.
Sven, why doesn’t this article mention that this is the second time NordVPN is being sued? This makes me believe that Nord is in the habit of dueing questionable business practices.
First stealing botnet software, and now blackmailing another VPN provider to push censorship? Didn’t you think that was relevant? Also this article doesn’t mention the entire Tesonet scandal which you covered before as well. I think these things are very important to mention.
Also why doesn’t this article show the latest update that TorGuard posted (IMO, this shows proof that NordVPN did threaten TorGuard).
Otherwise, great work on this site! Keep up the work bud.
“why doesn’t this article mention that this is the second time NordVPN is being sued?”
Umm… it actually does, with a link to my article from last summer. See the conclusion.
You also said, “why doesn’t this article show the latest update that TorGuard posted”
In terms of allegations, it’s nothing new, but instead just a selected screenshot. I’ll include it in the next update.
True enough, you did include that part. But it’s at the end ? Shouldn’t it be more towards the front of the article (where more people read?)
Also, still disapointed you have discounted the entire tesonet thing. When NordVPN was first a website, the only two languages they supported was Lithuanian. You don’t think that’s weird? See here: https://nordvpnsucks.blogspot.com/2018/11/screen-capture-of-nordvpns-old-web-page.html
Also, the person talking to TorGuard seemed to be “Tom” from Tom Okmanas, Co-founder of Tesonet? What more proof do you need? Can you change the nordvpn tesonet article now
Hi Burner, I’m the person behind that blog. All I did was find a bunch of loose ends, and tie them together in a pretty bow. Nordvpn is not based in Panama, it’s in Lithuania. Tefincom S.A. is just a shell company. I’ve since figured that just about any vpn that is “based in” one of these small tax haven countries, is going to have just a shell company. There’s an easy way to check it, if you have their actual address in that country – google the address, and see how many other companies are at the same address. If you get a bunch at the same suite # in the same building, then you have a shell company. I went through this with surfshark, which was very disappointing. I’m deciding after a couple years of trying out vpn’s, that they are pretty much all assholes. I will still use them, but with chaining.
Sven, you have been very active in pointing out all the negative parts, bringing up a the vpn.ac issue is a bit of a stretch, there was no security issue, the extension was the fault of a third party developer which was fixed very fast when brought to there attention – you have not mentioned the latest update on Twitter for torguard which clearly shows NordVPN are lying scumbags, care to update your article?
“bringing up a the vpn.ac issue is a bit of a stretch”
I disagree. There was a security issue then, and there are security issues at the heart of this case.
“there was no security issue”
There were numerous security issues, as explained in this VPN.ac article.
“the extension was the fault of a third party developer which was fixed very fast when brought to there attention”
Ok, so you must work for TorGuard if you know it was a “third party developer” who was to blame. All I have to go off are the screenshots and evidence shown in this article.
“you have not mentioned the latest update on Twitter for torguard which clearly shows NordVPN are lying scumbags”
lol There’s nothing to update, but you clearly have your mind made up. TorGuard filed a complaint recently, which did not include any new information, but instead the same allegations I already listed above. There’s a screenshot that appears to be part of a conversation, but what’s the context? Who knows. I’ll update the article when there’s new information.
Why is it that when someone points out some descrepancies that they must automatically work for torguard or someone else? The fact it was to do with a third party developer was both mentioned on the bestvpn.com website and some others, btw before vpn.ac mentioned this there extension previously had the same flaws, the extension was basically a template of vpn.ac extension apparently and the so called security flaw was to do with the extension checking some ip check tool belonging to them so all they had was random ip’s connecting to there ip check tool as you would see on a webserver, not like you could relate that up to an individual or a activity – it was blown up to get some PR as they really needed it. The screenshot if you care to read it refutes any claims by NordVPN that they innocently let TorGuard know of some secret information that was supposedly handed over to them over a live chat session (yeah right) – as you can see there real agenda was to just blackmail TorGuard to remove affiliate content they didn’t like.
You said it was a third party developer who was to blame, not TorGuard, apparently. I figured if you knew who was “really” to blame, then perhaps you are within the company. The VPN.ac blog post is the only article I’ve seen covering the topic. I read the screenshot snippet, and I agree it suggests that NordVPN wanted some content removed, apparently, but again, this allegation has already been made, as I pointed out above, first published in late May.
Sven i have read your articles and reviews for some time and i can’t help but see that your most favourable towards Nord and VPNAC as they appear to rank high on your review list, your dismissing evidence as if it is nothing, it is certainly something worth noting, it seems like this is a taster with more to come, may just be a screenshot but it certainly looks legit to me and dismisses the NordVPN story of innocence, why doesn’t that concern you? its quite embarrassing really.
It’s a serious rabbithole one enters if they decide to research the VPN scene. The amount of scummy behaviour exhibited is gobsmacking at times. I applaud your dexterity, Sven. Chapeau bas!
It’s also quite crazy how much money NordVPN is able to throw around for marketing. I was at my mother’s house last week setting up a new router for her (old one was ISP issued garbage) and tested speeds by installing the Speedtest app on her iPhone. There was a little VPN tab at the bottom, and guess what? Yup, NordVPN again. I heard they even run ads on TV in some regions. If true, these guys either have a gigantic customer base, or they’re bankrolled by some nefarious money laundering or shadow banking cartel.
I have a question. Could anyone benefit by having the VPN sites fighting with each other. Think about that for a minute. I bet you will all come up with the answer I did
Well yeah, when VPNA fights with VPNB, then VPNC sits in the background and enjoys the show, right?
I use NordVPN and when I saw the tittle I got a little concerned because this is the 2nd time I heard about something “bad” about their practices in the past couple of months. After reading the whole article, I feel like this lawsuit is an attention-seeking incompetent company looking make their name heard by trying to damage someone else reputation. Regardless, I’ll stay neutral and keep track of the development in the future. This might not affect me directly, but I’ll wouldn’t support a company with “shaddy” tactics like these if it turns out to be true.
I would maybe have a look at the latest update: https://twitter.com/TorGuard
I’m leaving NordVPN today, shady tactics indeed and they completely denied any wrongdoing stating they were just pointing out something in good faith, my ass, I knew something was up.
Ok, TLTR.
I don’t understand what the issue is here for consumers? The VPN providers can do things out and I don’t care unless it affects the users/customers.
Sven, please explain why this of any interest to us?
Well, two large VPNs suing each other over “blackmail” allegations is big news, but I see your point, it doesn’t directly affect end users per se…
You are saying it right, but they need it as part of marketing. 🙂
The law on trade secrets vs patents is radically different. Trade secrets while having some means to defend against, in effect forgo conventional legal protections afforded by copyright and patent.
—
If C-SEVEN is bound to NordVPN that could have impact on the practicality of dragging one or both to Florida. There are also potentially crimes that laws all 3 countries can’t just ignore.
—
I for one would like to see it go to court, in hope that some truth be found and if warranted, proper punishments. Alas, if there is any stable ground for TorGuard to stand on, things will perhaps simply end with some sort of out of court settlement and no truth to be learned from any of it — other than what drama people and their money pursuits can cause.
—
The whole who blogs the best and loudest, points the most fingers sideshow is all a disgrace along with it’s actors.
Wow, great eye opening article at what a disaster Torguards security team is at their 1 job. I am watching Tom Sparks review on vpn affiliates, and it doesnt surprise me that the reason why it seems everyone is pushing Nord these days on youtube is simply because they have the most payout to the pusher, not necessarily that the product Nord is that good. I mean atleast its not HideMyAss or PureVPN, or others. Tom mentioned AirVPN which is great, but why is PIA left out i wonder. I know this website has some bias against PIA or atleast their customer service record, but maybe im just imagining things. In any case, i am glad these things are coming out in the open.
Hi Tim, you said “I know this website has some bias against PIA or atleast their customer service record”. Actually with the latest PIA review update, I’ve found PIA to have made many improvements in the past year, including improved support response times.
I think you’re mistaken. I see NordVPN being pushed heavily online by review sites like VPN Mentor, but as far as Youtube and other online sites go, IP Vanish is the one most everyone is promoting especially if it’s a Kodi site.
I wouldn’t go near IP Vanish as I feel they can’t be trusted with your security and their “no log” policy.
Ugh more VPN drama.
Rather than attacking each other, why don’t VPNs just focus on improving their service and doing a good job? Seriously, this is getting old.
…because a lie goes twice around the world while the truth is still getting it’s boots on.
As long as enough people believe their accusation & do not carry out any due diligence & maybe sign up for a company that is a “victim” of another “monopoly” company, that’s all that matters.