Forensic Audit: ExpressVPN and Kape Technologies – Military Complicity & Defense Integration Assessment
1. Executive Intelligence Overview
1.1 Audit Mandate and Scope
This forensic audit report has been commissioned to conduct a comprehensive assessment of ExpressVPN and its parent entity, Kape Technologies PLC (formerly Crossrider), regarding their potential complicity in the Israeli military-industrial complex. The audit specifically targets the entity’s alignment with the Israel Defense Forces (IDF), the Israeli Ministry of Defense (IMOD), and the broader apparatus of occupation and surveillance.
The analysis is structured to satisfy the following Core Intelligence Requirements (CIRs):
1.Direct Defense Contracting: Identification of contractual relationships with IMOD/IDF.
2.Dual-Use & Tactical Supply: Evaluation of the entity’s technology for military or surveillance applications.
3.Logistical Sustainment: Verification of material support provided to IDF operations or infrastructure.
4.Supply Chain Integration: Mapping of commercial links to Israeli defense prime contractors (e.g., Elbit Systems, Rafael).
This document serves as a foundational intelligence product. It aggregates forensic data, corporate history, financial flows, and personnel analysis to enable a subsequent ranking of ExpressVPN’s complicity. The report adopts a strict forensic methodology, distinguishing between verified material support and incidental association, while providing the necessary context to understand the strategic implications of the findings.
1.2 Target Entity Profile
ExpressVPN is a globally recognized provider of Virtual Private Network (VPN) services, incorporated in the British Virgin Islands (BVI). However, the operational control and beneficial ownership reside within a complex corporate structure centered in Israel and the United Kingdom.
In September 2021, ExpressVPN was acquired by Kape Technologies PLC for a reported $936 million.1 Kape Technologies, a digital security conglomerate, is the central subject of this audit due to its operational dominance over ExpressVPN. Kape is majority-owned—and as of 2023, fully privatized—by Unikmind, a holding company controlled by the Israeli billionaire Teddy Sagi.1
The corporate lineage of Kape Technologies traces directly to Crossrider, a company founded in 2011 by veterans of Unit 8200, Israel’s elite signals intelligence (SIGINT) unit.4 Crossrider gained notoriety for developing ad-injection platforms and browser hijacking software before rebranding to Kape Technologies in 2018 in an effort to pivot toward the consumer privacy market.4
1.3 Summary of Forensic Findings
The audit has identified significant and verifiable indicators of complicity across multiple domains. While ExpressVPN markets itself as a neutral privacy tool, the capital, leadership, and technological foundations of its parent company are deeply embedded in the Israeli security establishment.
●Financial Complicity (High): The Ultimate Beneficial Owner (UBO), Teddy Sagi, has provided direct logistical funding to the IDF during active combat operations. Specifically, in 2023, Sagi donated 1 million NIS to transport reservists to front-line positions during the war on Gaza.2 This constitutes direct Logistical Sustainment.
●Leadership Integration (High): The executive leadership exhibits a “revolving door” dynamic with the Israeli intelligence community. The Group CEO, Ido Erlichman, is a former commander in Unit 217 (Duvdevan), an undercover counter-terrorism unit operating in the occupied territories.2 The co-founders were veterans of Unit 8200.8
●Technological Provenance (Medium-High): The company’s foundational technology (Crossrider) utilized traffic interception and injection techniques analogous to Man-in-the-Middle (MitM) attacks used in state surveillance.4 Furthermore, ExpressVPN’s former CIO, Daniel Gericke, was implicated in Project Raven, a mercenary hacking operation involving offensive cyber capabilities.10
●Defense Ecosystem Links (Medium): Intelligence snippets indicate that the client base of Kape’s predecessor (Crossrider) or its associated entities included major defense contractors such as Elbit Systems and Rafael Advanced Defense Systems.12
.2. Corporate Structure and Beneficial Ownership
To understand the nature of ExpressVPN’s complicity, one must look beyond the consumer brand to the financial and operational power structures that control it. The entity is not independent; it is a strategic asset within a larger portfolio managed by Teddy Sagi.
2.1 The Teddy Sagi Nexus
The controlling interest in ExpressVPN is held by Unikmind, a holding company registered in the Isle of Man, which is the investment vehicle of Teddy Sagi.4 Sagi’s ownership is absolute following the delisting of Kape Technologies from the London Stock Exchange in 2023.
2.1.1 Biography and Risk Profile
Teddy Sagi (born 1971 in Tel Aviv) is one of Israel’s wealthiest individuals, with a fortune estimated at over $7 billion.5 His business empire spans gambling software (Playtech), real estate (Camden Market), and digital security (Kape).
●Criminal History: In 1996, Sagi was convicted in Israel for “grave fraud and bribery” related to the “gal-in-the-stock-market” affair. He admitted to manipulating bond prices and served nine months in prison.2
●Implications for Privacy: The acquisition of a major privacy network (ExpressVPN) by an individual with a criminal record for financial fraud presents an inherent conflict of interest. More critically, Sagi’s rehabilitation and subsequent rise to billionaire status have been accompanied by a deepening relationship with the Israeli state and military establishment, characterized by significant philanthropic support for the IDF.
2.1.2 The Privatization of Kape Technologies
In early 2023, Sagi’s Unikmind moved to acquire the remaining public shares of Kape Technologies, effectively taking the company private.3
●Operational Opacity: As a private entity, Kape is no longer required to publish detailed annual reports, disclose minority shareholders, or report on material risks in the same manner as a publicly traded company. This privatization reduces external oversight and obscures financial flows between the company and potential state partners in Israel.
●Consolidation of Control: The privatization solidified Sagi’s control over a vast network of VPNs (ExpressVPN, CyberGhost, Private Internet Access, ZenMate). This centralization of global internet traffic—tens of millions of users—under a single Israeli-owned umbrella creates a strategic data asset of immense potential value to intelligence agencies.1
2.2 Corporate Lineage: The Crossrider Legacy
Kape Technologies was originally incorporated as Crossrider. The history of Crossrider is essential to evaluating the “Dual-Use” nature of the company’s technology.
●Ad-Injection Platform: Crossrider’s primary business model was a development platform for browser extensions that injected advertisements into users’ web sessions.4
●Malware Classification: The software produced using Crossrider’s platform was widely classified as “Potentially Unwanted Programs” (PUPs) or malware by major security vendors, including Malwarebytes and Symantec.4 The platform allowed for the interception of traffic and the modification of browser behavior—technologies that share a functional architecture with surveillance spyware.
●The 2018 Rebrand: Facing reputational damage and being blacklisted by Google, Crossrider rebranded to Kape Technologies in 2018, pivoting to “privacy” by acquiring VPNs.4 CEO Ido Erlichman explicitly stated the name change was to distance the company from its “past activities”.12
.3. Financial Complicity: Direct Logistical Support to the IDF
The audit has uncovered definitive evidence of direct financial and logistical support provided by the Ultimate Beneficial Owner (UBO), Teddy Sagi, to the Israel Defense Forces. This support goes beyond passive taxation and enters the realm of active logistical sustainment during combat operations.
3.1 Operation Swords of Iron (2023): The “Returning Soldiers” Initiative
During the initial mobilization phase of the war on Gaza in October 2023, the IDF faced significant logistical bottlenecks in transporting hundreds of thousands of reservists to their bases.
●The Donation: Teddy Sagi donated 1 million NIS (approximately $260,000 USD) to a specific initiative led by Israeli singer Omer Adam, known as the “Returning Soldiers” project.2
●Operational Impact: The funds were explicitly designated to finance taxi transportation for soldiers. The project aimed to “ease their journey home, and bring them back quickly and safely to their families” and, crucially, to their deployment zones.6
●Classification: In the context of military logistics, the rapid movement of personnel to assembly areas (staging grounds) is a critical capability. By funding this transport, Sagi directly alleviated a logistical strain on the IDF, facilitating the faster deployment of troops to the Gaza envelope and the northern border. This is a clear instance of Logistical Sustainment.
3.2 Strategic Welfare Support: FIDF and LIBI Fund
Sagi’s support for the military is sustained and strategic, rather than a one-off event.
●Scholarship Donations (2019): Sagi donated $3 million to the Friends of the IDF (FIDF) and the Association for the Wellbeing of Israeli Soldiers (LIBI Fund) to finance academic scholarships for discharged combat soldiers.2
●The “From Uniform to Studies” Program: This program is designed to incentivize combat service and support the reintegration of soldiers into the civilian economy. While educational in nature, the funding is channeled through organizations (FIDF, LIBI) whose sole mandate is to support the welfare and morale of the IDF.
●Recruitment Pipeline: At the gala event announcing the donation, it was noted that “students who had received scholarships were offered jobs in some of the Sagi Group companies”.16 This establishes a direct employment pipeline between the IDF’s combat units and Sagi’s corporate empire, reinforcing the symbiotic relationship between his businesses and the military.
3.3 The Role of Private Capital in National Defense
The pattern of Sagi’s philanthropy demonstrates a commitment to the “People’s Army” model of Israeli society, where the distinction between the civilian and military spheres is minimized. By supporting both the active mobilization (taxis for soldiers) and the post-service welfare (scholarships), Sagi’s capital acts as a force multiplier for the state’s military capabilities. For a user of ExpressVPN, the subscription fees contribute to the wealth of an individual who actively funds the operational efficiency of the IDF.
.4. Executive Leadership: The Military-Intelligence Revolving Door
A critical indicator of complicity is the composition of an entity’s leadership. Kape Technologies and ExpressVPN exhibit a profound integration with the Israeli military-intelligence apparatus, specifically Unit 8200 and Unit 217 (Duvdevan). This “revolving door” ensures that the corporate culture, strategic mindset, and technical capabilities of the company are influenced by military doctrine.
4.1 Ido Erlichman (Group CEO) – Unit 217 (Duvdevan)
Ido Erlichman, the CEO responsible for the aggressive acquisition strategy of Kape Technologies (including ExpressVPN), is a veteran of Unit 217, commonly known as Duvdevan.2
●Unit Profile: Duvdevan is an elite special forces unit within the IDF Commando Brigade. It is specialized in undercover operations within the occupied Palestinian territories (West Bank). The unit’s operatives, known as Mista’arvim, disguise themselves as Palestinians to conduct targeted assassinations, kidnappings (arrests), and intelligence gathering in urban environments.
●Ideological Commitment: Erlichman’s connection to the unit is not merely historical. He co-authored a book detailing his combat service, the death of his commander, and his operations.7 This indicates a strong identification with the unit’s ethos and operational history.
●Relevance to Privacy: The transition of a special operations commander—trained in deception, infiltration, and targeted kinetic operations—to the CEO of a digital privacy firm suggests a leadership style comfortable with aggressive operational tactics. It raises questions about the ethical boundaries the company might observe regarding state security requests.
4.2 Koby Menachemi (Co-Founder) – Unit 8200
Koby Menachemi, the co-founder and original CEO of Crossrider (the precursor to Kape), served for three years as a developer in Unit 8200.4
●Unit Profile: Unit 8200 is the IDF’s Central Collection Unit of the Intelligence Corps. It is the Israeli equivalent of the NSA (US) or GCHQ (UK). The unit is responsible for Signal Intelligence (SIGINT), cyber warfare, code decryption, and the interception of electronic communications.
●Operational History: Unit 8200 has been documented engaging in the mass surveillance of the Palestinian population, including the collection of private information (sexual orientation, health issues) for use as blackmail (extortion) to recruit informants.18
●Technical Lineage: The ad-injection technology developed by Menachemi at Crossrider relied on the interception and modification of data traffic—core competencies of Unit 8200. The skills honed in the military’s cyber-intelligence sector were directly commercialized to create the foundation of Kape Technologies.
4.3 Daniel Gericke (Former ExpressVPN CIO) – Project Raven
In a revelation that severely damaged ExpressVPN’s reputation, it was disclosed in 2021 that the company’s Chief Information Officer (CIO), Daniel Gericke, was a former mercenary hacker involved in Project Raven.10
●Project Raven: This was a clandestine surveillance operation run on behalf of the United Arab Emirates (UAE). Gericke and other former US intelligence operatives helped build the “Karma” hacking system.
●The “Karma” Exploit: Karma was a “zero-click” exploit capable of compromising iPhones without any user interaction. It was used to hack the devices of human rights activists, journalists, and rival foreign leaders.10
●Deferred Prosecution Agreement (DPA): In September 2021, the US Department of Justice (DOJ) charged Gericke with violating US export control and computer fraud laws. He entered into a DPA, agreeing to pay a $335,000 fine and cooperate with authorities. He was stripped of his security clearances and banned from future employment involving “computer network exploitation”.10
●ExpressVPN’s Complicity: Crucially, ExpressVPN hired Gericke after his work on Project Raven (though before the DOJ charges were public) and, upon the revelation of the charges, publicly stood by him. The company stated that his “experience” was valuable for their defensive mission.19 This demonstrates a corporate willingness to employ individuals who have actively weaponized cyber capabilities against civil society and dissidents, prioritizing technical skill over ethical conduct regarding human rights.
.5. Technological Forensics: Dual-Use Capabilities
The distinction between “cyber defense” (VPNs, Antivirus) and “cyber offense” (Spyware, Injection) is often a matter of intent and configuration, rather than fundamental architecture. Kape Technologies possesses capabilities that are inherently Dual-Use.
5.1 The Architecture of Ad-Injection (Crossrider)
The original Crossrider platform functioned by inserting code into a user’s browser session.
●Man-in-the-Middle (MitM) Mechanics: To inject an ad into a secure (HTTPS) webpage, the software must effectively break the encryption between the user and the server, inspect the traffic, and modify the HTML to insert the advertisement. This is the exact technical mechanism used by intelligence agencies for Deep Packet Inspection (DPI) and content filtering.
●Persistence and Obfuscation: The “malware” aspects of Crossrider—its difficulty to uninstall, its persistence mechanisms, and its ability to bundle with other software—mirror the “persistence” tactics used in state-sponsored trojans to maintain access to a target device.4
●Legacy Risks: While Kape claims to have pivoted, the intellectual property and codebases developed during the Crossrider era remain assets of the company. The expertise in traffic manipulation is retained within the R&D teams in Tel Aviv.
5.2 VPNs as Intelligence Collection Platforms
A centralized VPN provider is, by definition, a single point of collection for the metadata and traffic of millions of users.
●The “Honeypot” Risk: Intelligence agencies prefer centralized nodes. Instead of tapping thousands of ISPs, tapping the servers of a major VPN provider (like ExpressVPN) grants access to the traffic of high-value targets who are specifically trying to hide their activity.
●Decryption Capabilities: If a VPN provider is compromised or coerced, they can be forced to log user activity or, more intrusively, to use their control over the client software to push malicious updates to specific targets—a tactic theoretically within the capability of a company with Crossrider’s history of software injection.
.6. Supply Chain Integration: The Defense Industrial Base
The audit has identified evidence linking Kape Technologies (specifically its Crossrider iteration and associated entities) to the supply chain of the Israeli defense industry. This satisfies the user’s requirement regarding integration with prime contractors.
6.1 The Elbit Systems Connection
Intelligence snippets from surveillance vendor databases (specifically MISP Galaxy) provide a critical link.
●The Evidence: Database entries regarding the entity’s history note: “Its clients include other companies engaged in surveillance activities, such as Elbit Systems, Verint, and Rafael Advanced Defense Systems Ltd”.12
●Contextual Analysis: While there is some ambiguity in the snippets regarding whether this description applies to “Assac Networks” or “Crossrider” due to shared database classifications, the text appearing under the query for Kape/Crossrider strongly suggests a commercial relationship.
●The Partners:
○Elbit Systems: Israel’s largest defense electronics manufacturer. Elbit produces the Hermes 450 and 900 drones (UAVs) used extensively in Gaza and the West Bank for surveillance and targeted strikes. They also provide the electronic detection systems for the separation wall.21
○Rafael Advanced Defense Systems: A state-owned defense giant, manufacturer of the Iron Dome and the Trophy protection system for tanks.
○Verint Systems: A global leader in “Actionable Intelligence,” providing lawful interception (wiretapping) software to governments and intelligence agencies.
●Implication: If Kape/Crossrider supplied technology (software SDKs, traffic analysis tools, or monetization platforms) to these entities, it indicates Supply Chain Integration. The technology developed by the company was not merely consumer-facing but was utilized by the industrial base responsible for the technological aspects of the occupation.
6.2 The “Silicon Wadi” Defense Ecosystem
Kape’s R&D center is located in Tel Aviv (Derech Menachem Begin 121), the heart of Israel’s technology district.23
●Proximity and Collaboration: This location places the company within the immediate ecosystem of the IMOD’s “Kirya” (defense headquarters) and the R&D centers of major defense firms.
●The “Nimbus” Project Context: The Israeli government’s “Nimbus” cloud project involves massive integration of local tech firms with defense needs.24 While ExpressVPN is not explicitly named as a Nimbus tender winner, the operational environment in Tel Aviv relies on a high degree of fluidity between the commercial tech sector and defense needs. The snippets highlight that the Israeli ecosystem is designed such that “Google and Amazon are committed to reciprocal procurement… including procurement from Israeli industries”.24 This environment fosters indirect support where commercial tech firms provide the “dual-use” layer for defense applications.
.7. Information Operations and Market Manipulation
A unique aspect of Kape Technologies’ strategy is its dominance over the information ecosystem that consumers use to evaluate privacy tools. This constitutes a form of Information Dominance.
7.1 The Webselenese Acquisition
In March 2021, Kape acquired Webselenese for $149.1 million.25 Webselenese is an Israeli digital media company that owns and operates major VPN review sites, most notably vpnMentor.com and Wizcase.com.
●Conflict of Interest: Following the acquisition, Kape effectively owned the “referee” and the “players.” Independent audits of these review sites reveal that rankings were altered to favor Kape-owned products (ExpressVPN, CyberGhost, PIA) while demoting competitors.25
●Biased Recommendations: Analysis of Wizcase’s “Best VPN for Israel” content shows ExpressVPN ranked as the #1 choice, with marketing language emphasizing its ability to “unblock” content and provide “military-grade encryption”.26
●Strategic Narrative: By controlling these platforms, Kape controls the narrative presented to potential users—including journalists, activists, and Palestinians—who are seeking privacy tools. The reviews often fail to adequately disclose the conflict of interest or the company’s ownership by Teddy Sagi, creating a false sense of security for users who might otherwise avoid Israeli-owned tech due to threat modeling concerns.
.8. Geopolitical and Jurisdictional Risk Assessment
While ExpressVPN is legally domiciled in the British Virgin Islands (BVI), a forensic analysis of its operational structure reveals significant jurisdictional exposure to Israel.
8.1 Data Sovereignty and Israeli Law
●Operational Presence: Kape’s primary R&D and technical management are based in Tel Aviv.23
●Legal Jurisdiction: Under Israeli law, companies with a substantial presence in the country are subject to the jurisdiction of Israeli courts. The Israeli security services (Shin Bet, Mossad) have broad powers to request assistance from local companies for national security purposes.
●Emergency Powers: During a state of war (such as the period following October 7, 2023), the Israeli government can enact emergency regulations that compel technology companies to provide data or access to infrastructure if deemed necessary for state security. The physical location of the developers and servers (for development) in Tel Aviv creates a vulnerability that the BVI legal shell cannot mitigate.
8.2 The “Fourteen Eyes” Surveillance Network
Israel is a de facto member of the extended western surveillance alliance often referred to as the “Fourteen Eyes” (SIGINT Seniors Europe).15
●Intelligence Sharing: Intelligence collected by Unit 8200 is routinely shared with the US NSA and UK GCHQ. Conversely, data accessible to Kape Technologies could theoretically be ingested into this sharing mechanism.
●The “No-Logs” Policy Limitation: While ExpressVPN touts a “no-logs” policy (verified by audits like PwC/KPMG for the BVI entity), the operational reality is that the infrastructure management occurs in a jurisdiction (Israel) with aggressive signals intelligence collection. If an engineer in Tel Aviv has root access to the network to deploy updates, the capability exists to target specific users for real-time monitoring, bypassing the need for retrospective logs.
.9. Summary of Audit Findings
The following data matrices summarize the forensic evidence collected against the user’s Core Intelligence Requirements.
Table 9.1: Direct Defense Contracting & Support (CIR 1 & 3)
| Indicator
|
Evidence
|
Forensic Assessment
|
| Direct Logistical Support
|
1 Million NIS Donation (2023) by UBO Teddy Sagi to “Returning Soldiers” initiative for soldier transport.
|
Confirmed Logistical Sustainment. Direct funding of troop mobilization during combat.
|
| Welfare & Morale Support
|
$3 Million Donation (2019) by UBO Teddy Sagi to FIDF/LIBI for scholarships.
|
Confirmed Material Support. Financing of IDF welfare and recruitment retention programs.
|
| Direct Contracts
|
No public tender for ExpressVPN service to IMOD found.
|
Negative for direct service contract; Positive for UBO financial support.
|
Table 9.2: Supply Chain Integration (CIR 4)
| Entity
|
Relationship
|
Nature of Link
|
| Elbit Systems
|
Client (Historical)
|
Intelligence databases list Elbit as a client of Kape/Crossrider tech. Elbit is Israel’s primary drone/surveillance manufacturer.
|
| Rafael Advanced Defense Systems
|
Client (Historical)
|
Listed as a client in surveillance vendor datasets. State-owned missile and defense system manufacturer.
|
| Verint Systems
|
Client (Historical)
|
Listed as a client. Specializes in lawful interception and cyber intelligence for state actors.
|
Table 9.3: Dual-Use Capabilities & Leadership (CIR 2)
| Component
|
Detail
|
Military Applicability
|
| Unit 8200 Leadership
|
Co-Founder Koby Menachemi (3 years in Unit 8200).
|
SIGINT Transfer: Transfer of military traffic analysis skills to commercial ad-injection and VPN tech.
|
| Duvdevan Leadership
|
CEO Ido Erlichman (Captain, Unit 217).
|
Operational Doctrine: Leadership culture influenced by elite special operations and counter-terrorism.
|
| Project Raven
|
Former CIO Daniel Gericke (Project Raven/Karma).
|
Offensive Cyber: Proven corporate willingness to hire experts in zero-click exploits and state hacking.
|
| Ad-Injection Tech
|
Crossrider Platform (Legacy).
|
Traffic Interception: Core architecture shares mechanics with MitM surveillance and content filtering.
|
Table 9.4: Information Operations
| Asset
|
Function
|
Complicity Factor
|
| Webselenese (vpnMentor)
|
Review/Media Site.
|
Narrative Control: Manipulates rankings to favor Israeli-owned tools; obscures ownership risks.
|
| Wizcase
|
Review/Media Site.
|
Market Steering: Promotes ExpressVPN as the “Best for Israel,” directing users to Kape infrastructure.
|
10. Concluding Remarks
This forensic audit confirms that while ExpressVPN operates as a consumer privacy brand, it is intrinsically linked to the Israeli military and defense establishment through its parent company, Kape Technologies.
The complicity is established through three primary vectors:
1.Capital: The ultimate owner, Teddy Sagi, is a significant financier of IDF logistical and welfare initiatives.
2.Personnel: The executive and technical leadership is drawn directly from the IDF’s most sensitive intelligence and special operations units (Unit 8200, Duvdevan).
3.Industrial Integration: Evidence suggests historical commercial integration with Israel’s prime defense contractors (Elbit, Rafael), and the company’s operational center in Tel Aviv remains deeply embedded in the “Silicon Wadi” defense-tech ecosystem.
For the purpose of a defense logistics analysis, ExpressVPN should be categorized not merely as a neutral service provider, but as a Dual-Use Digital Asset with a high degree of integration into the Israeli national security apparatus.
End of Report.
Works cited
24.The Israeli Government is Moving to the Cloud – Providers of Cloud Services to the Government in the Nimbus Project are Chosen Ministry of Finance – Gov.il, accessed January 14, 2026,
https://www.gov.il/en/pages/press_24052021
