The virtual private network (VPN) and broader consumer cybersecurity industry have transitioned from a decentralized collection of independent privacy advocates into a highly consolidated landscape characterized by massive holding companies and significant private equity involvement. Surfshark, a primary subject of this audit, represents a critical node in this consolidated network. Originally established as a standalone entity in 2018, the company rapidly ascended the market rankings through aggressive marketing and technical innovation, eventually merging with Nord Security in February 2022 to form what the leadership describes as a “cybersecurity powerhouse”.1 This merger was not merely a financial transaction but a strategic alignment of two of the largest entities in the industry, both of which were fostered by the Lithuanian business incubator Tesonet.3
This forensic audit evaluates Surfshark’s operations through the lens of military complicity, specifically regarding its material or ideological intersections with the Israeli Ministry of Defense (IMOD), the Israel Defense Forces (IDF), and the broader security-surveillance apparatus of the State of Israel. The audit is structured to address four core intelligence requirements: direct defense contracting, dual-use supply, logistical sustainment of military infrastructure, and supply chain integration with prime Israeli defense contractors such as Elbit Systems, Israel Aerospace Industries (IAI), and Rafael Advanced Defense Systems.
Historically, the VPN sector has been scrutinized for its proximity to intelligence services and state security agencies. While competitors like Kape Technologies have documented roots in the Israeli security sector through ownership by Teddy Sagi and its precursor firm Crossrider, Surfshark’s corporate genealogy is predominantly tied to the Baltic technological expansion.5 However, the operational reality of maintaining global network coverage necessitates physical infrastructure within sovereign Israeli territory, specifically in Tel Aviv, creating an incidental logistical link that this report investigates in detail.7
| Milestone Year | Event Description | Organizational Impact |
|---|---|---|
| 2018 | Launch of Surfshark VPN | Entry into the consumer privacy market. |
| 2019 | Release of Alert & Search tools | Expansion into comprehensive cybersecurity. |
| 2020 | Transition to RAM-only servers | Implementation of hardware-level data protection. |
| 2021 | Launch of Antivirus & Incogni | Diversification of the security product suite. |
| 2022 | Merger with Nord Security | Achievement of “Unicorn” status; $1.6B valuation. |
| 2023 | $100M Investment Round | Expansion of product lines and R&D capacity. |
| 2024 | Financial Times 1000 Ranking | Recognition as a top 50 fastest-growing company. |
Data sources: 9
The ownership structure of Surfshark is inextricably linked to the parent holding company, Nord Security, which is incorporated in Amsterdam, the Netherlands, while maintaining its primary operational hub in Vilnius, Lithuania.3 The founders of the respective entities—Vytautas Kaziukonis for Surfshark and Tom Okman alongside Eimantas Sabaliauskas for Nord Security—share a common history within the Tesonet ecosystem.2 This relationship is critical for understanding the company’s capital origins and potential ideological leanings.
Tesonet functioned as the primary business incubator for both NordVPN and Surfshark. While initially operating as competitors, the two brands were always part of the same Lithuanian venture capital and development environment.2 The 2022 merger formalized this relationship, creating a joint entity that has attracted significant international investment. In April 2022, the company raised $100 million in a funding round led by Novator, valuing the group at $1.6 billion.3 This was followed in September 2023 by an additional $100 million investment from Warburg Pincus, which doubled the company’s valuation to $3 billion.11
| Investment Entity | Nationality | Investment Role | Strategic Focus |
|---|---|---|---|
| Tesonet | Lithuanian | Founder / Incubator | Early-stage development and scaling. |
| Novator | International | Lead Investor (2022) | Growth-stage capital and market entry. |
| Warburg Pincus | United States | Growth Investor (2023) | Global expansion and M&A activity. |
Data sources: 3
The involvement of Warburg Pincus is notable due to its status as a global private equity firm with extensive holdings across multiple sectors, including technology and healthcare. However, no direct evidence was found in the analyzed records indicating that Warburg Pincus’s investment in Nord Security was contingent upon or directed toward Israeli defense applications. Instead, the capital has been deployed to expand product lines such as Alternative ID, Dedicated IP, and the Incogni data removal tool.9
A central component of this audit is distinguishing Surfshark’s ownership from the “Kape Technologies” network, which represents the primary point of Israeli influence in the VPN industry. Kape Technologies, owned by British-Israeli billionaire Teddy Sagi, acquired several of Surfshark’s major competitors, including ExpressVPN (purchased for $936 million), CyberGhost, and Private Internet Access.5 Kape’s predecessor, Crossrider, was known for adware and had ties to individuals with backgrounds in Israeli intelligence.6
Surfshark’s leadership team lacks similar documented ties to the Israeli defense or intelligence establishment. The management is primarily composed of Lithuanian tech entrepreneurs with backgrounds in software engineering and business intelligence.14
| Personnel | Role | Primary Professional Background |
|---|---|---|
| Vytautas Kaziukonis | Founder/CEO, Surfshark | Software entrepreneurship; Tesonet alumnus. |
| Tom Okman | Co-Founder, Nord Security | Internet infrastructure; board member at Vilnius University. |
| Donatas Budvytis | CTO, Surfshark | Technical leadership in cybersecurity scaling. |
| Tomas Kazlauskas | Chief Business Intelligence | Data analytics and market strategy. |
Data sources: 9
Surfshark’s material presence in the Middle East is centered on its network of servers located in Tel Aviv, Israel. This infrastructure is a standard requirement for global VPN providers to offer regional low-latency connections and “Israeli IP” addresses for users wishing to bypass geo-restrictions or secure their local internet traffic.7
The company operates approximately 20+ RAM-only servers in the Tel Aviv cluster.8 These servers utilize a diskless architecture where the operating system and all software are loaded directly into RAM, ensuring that no data is permanently stored on physical hard drives. This setup is a key component of Surfshark’s “no-logs” policy, which has been verified by independent audits from Deloitte and Cure53.9
| Infrastructure Component | Specification | Functionality |
|---|---|---|
| Server Location | Tel Aviv, Israel | Regional traffic termination and IP assignment. |
| Server Architecture | RAM-only (Diskless) | Volatile memory ensures no data persistence. |
| Protocol Support | WireGuard, OpenVPN, IKEv2 | Encrypted tunneling for diverse device types. |
| Encryption Standard |  |
Military-grade civilian encryption standard. |
| Server Count | 20+ Physical Units | Capacity for high-speed regional throughput. |
Data sources: 7
The servers are leased through third-party data center providers. While Surfshark does not publicly disclose its specific facility partners in Israel, network forensics indicate that it utilizes major international hosting providers and local ISPs to maintain its “Cyberzone” ASNs (Autonomous System Numbers).17 Known providers in the Tel Aviv area that service the VPN industry include GNS, Webgate, and SPD.18 These facilities provide the physical security, cooling, and power infrastructure required to maintain the digital presence.
The marketing of Israeli servers by Surfshark focuses on three primary civilian use cases:
This operational footprint characterizes “Market Drift” or “Civilian Parallel” association, where the product is available in the region but is not marketed toward or specifically configured for military or security forces.
A forensic search for direct contracts between Surfshark (or Nord Security) and the Israeli Ministry of Defense (IMOD) or the Israel Defense Forces (IDF) yielded no evidence of formal agreements, tender awards, or defense-specific partnerships.
Exhaustive reviews of IMOD tender listings and the SIBAT defense directory do not show Surfshark as a registered vendor.20 Unlike “Big Tech” firms that have faced significant backlash for state-level contracts—most notably Google and Amazon’s participation in the $1.2 billion Project Nimbus cloud contract—Surfshark has no known role in providing infrastructure for the Israeli government.22
Furthermore, while Surfshark’s business arm, NordLayer, provides adaptive network access security for organizations, there is no public record of its deployment within the Israeli defense ecosystem.23 Most IDF-level network security is handled through domestic firms like Check Point or specialized military-grade hardware providers.24
Surfshark’s documented engagement with state actors is primarily adversarial or defensive. For instance, the company withdrew its physical servers from India in 2022 in direct response to government mandates requiring VPNs to store and share user data.3 This stance suggests a corporate policy that prioritizes user privacy over government compliance, a factor that typically disqualifies a firm from sensitive military or intelligence contracting.
| Organization | Contract Type | Israeli State Affiliation | Nature of Complicity |
|---|---|---|---|
| Google / Amazon | Project Nimbus | Direct (IMOD/IDF) | Provision of AI and Cloud for military. |
| Check Point | Cybersecurity | Domestic / Direct | Sovereign firewall and network security. |
| Surfshark | Consumer VPN | None Documented | Incidental retail presence in Tel Aviv. |
Data sources: 22
As a software-based service provider, Surfshark does not manufacture “ruggedized” or “tactical” goods. Its products are generic civilian cybersecurity tools. However, the dual-use nature of encryption technology warrants a detailed assessment of its tactical utility.
Surfshark utilizes 
encryption, which is often marketed as “military-grade” but is the industry standard for secure civilian communications.8 The company does not produce mil-spec hardware variants (e.g., hardened routers or field-deployable encrypted comms kits). Its implementation of the WireGuard protocol is designed for speed and efficiency in consumer environments rather than the specific resilience required for contested electronic warfare (EW) environments.3
The company’s features, such as “MultiHop” (cascading traffic through two servers) and “Obfuscation” (masking VPN traffic as regular HTTPS), are dual-use in the sense that they could be utilized by military personnel in an unofficial capacity to secure their personal devices.7 However, the documentation shows no evidence that these features are marketed to or tailored for the IDF.
| Product | Feature | Defense Sector Application | Market Segment |
|---|---|---|---|
| Surfshark VPN |  / WireGuard |
Unofficial personal device security. | Consumer Retail |
| Surfshark Alert | Breach Monitoring | Information security awareness. | Consumer Retail |
| Incogni | Data Removal | Counter-OSINT for individuals. | Consumer Retail |
| NordLayer | ZTNA / SDP | Corporate perimeter security. | Enterprise / B2B |
Data sources: 9
While NordLayer (the B2B arm of the parent company) is profiled in cybersecurity supplier directories, its clients in the Israeli market are concentrated in the engineering, technology, and utilities sectors, often as a defensive measure against state-sponsored hacking groups like those from Iran.23
Logistical sustainment involves the provision of essential services—such as catering, fuel, transport, or construction—that directly support the operations of military bases or detention facilities. Surfshark’s service delivery model is entirely digital and automated, precluding physical involvement in these sectors.
Forensic tracking of service vehicles or “institutional supply” contracts in the Negev or West Bank provides no evidence of Surfshark’s participation. The company does not provide transport for military personnel, fuel for tactical vehicles, or construction materials for the separation wall or military outposts.20 Unlike heavy machinery companies like JCB, Volvo, or Caterpillar, which provide the physical equipment used in settlement construction and military engineering, Surfshark’s impact is limited to the transport of encrypted data packets.30
In the context of the Israeli prison system, logistical sustainment often refers to telecommunications or security infrastructure. While some VPN providers have been criticized for hosting servers on networks owned by companies that service prisons, Surfshark’s Tel Aviv servers are located in commercial data centers in the city’s tech district.7 There is no evidence of direct contracts to provide “prison-tech” or communication monitoring for the Israel Prison Service (IPS).
The fourth requirement investigates whether Surfshark supplies components or sub-systems to known Israeli defense prime contractors, such as Elbit Systems, IAI, or Rafael.
Defense primes require highly specialized hardware components, such as optical glass for tank sights, specialized polymers for body armor, or engine parts for UAVs.20 As a provider of Virtual Private Networks, Surfshark is a consumer of the supply chain (purchasing hardware from server manufacturers like Dell or HP) rather than a supplier to it.30
A review of the partner networks for Elbit and Rafael reveals a dependency on domestic startups for AI and drone interception technology, but no documented integration of Surfshark’s VPN or antivirus software into their kinetic systems.20 For example, Rafael’s “Typhoon” weapon system or Elbit’s “Iron Hawk” drone interceptor utilize proprietary, closed-loop military networks rather than public consumer VPN services.29
Surfshark’s public-facing research and advocacy frequently highlight the dangers of state-sponsored surveillance, placing it at ideological odds with the “Cyber-Offensive” wing of the Israeli defense industry. Specifically, Surfshark has published detailed reports on the Pegasus spyware developed by the NSO Group, characterizing it as a controversial tool used to undermine civil liberties and target journalists and activists.31
| Target Firm | Primary Product | Relationship to Surfshark | Conflict/Alignment |
|---|---|---|---|
| NSO Group | Pegasus Spyware | Industry Adversary | Surfshark researches and exposes its use. |
| Elbit Systems | UAVs / EW | None Documented | Discrete sectors; no overlap. |
| Rafael | Missile Defense | None Documented | Discrete sectors; no overlap. |
| NetBlocks | Internet Monitoring | Research Partner | Alignment on digital rights and freedom. |
Data sources: 11
The leadership and advisory boards of Nord Security (Surfshark’s parent) provide deeper insight into the company’s institutional alignment. While the executive team is primarily Lithuanian, the advisory board includes individuals with significant backgrounds in international security and defense policy.
The advisory board includes figures with experience in NATO, the US State Department, and European regulatory bodies. These affiliations suggest a “Western-aligned” institutional orientation, which, while not a direct indicator of complicity with Israel, reflects an integration into the broader security architecture of the Five Eyes and NATO allies.33
| Name | Role / Affiliation | Relevant Background |
|---|---|---|
| Edward Hunter Christie | Advisor | Former Deputy Head of NATO Innovation Unit. |
| Geoff Odlum | Advisor | Former U.S. diplomat (Non-proliferation/Regional Security). |
| Laurynas Adomaitis | IPR Specialist | Research on AI ethics and cybersecurity at Nord Security. |
| Dennis-Kenji Kipker | Advisor | Professor of IT Security Law; advisor to the EU Commission. |
| Rytis Vitkauskas | Advisor | Partner at Lightspeed Venture Partners; European tech veteran. |
Data sources: 15
The presence of a former NATO innovation official (Edward Hunter Christie) and a US diplomat focused on counterterrorism and regional security (Geoff Odlum) indicates that the company seeks strategic guidance from individuals who understand the intersection of technology and national security.33 However, these individuals are focused on NATO-centric challenges—such as Russian aggression in the Baltics—rather than Israeli defense procurement.
Surfshark’s ideological support is most visibly directed toward Ukraine. Following the 2022 invasion, the company participated in fundraising for the Ukrainian military and opened an office in Lviv to aid in the country’s digital reconstruction.13 In September 2025, the company conducted a challenge to support an injured Ukrainian soldier.35 This demonstrates a willingness to take a side in kinetic conflicts, although no similar support—material or ideological—is documented for Israeli military operations.
The audit must account for the high level of industry consolidation and the “repackaging” of services, which can sometimes obscure Israeli ties. In the VPN market, several brands are owned by companies with Israeli headquarters or founders.
Kape Technologies and Aura (Pango Group) are the primary examples of Israeli influence in the sector. Aura, an Israeli software company, owns Hotspot Shield, Betternet, and UltraVPN.6 Kape Technologies, as previously noted, is Israeli-owned and historically linked to the security sector.5
| Holding Company | Principal Brands | Headquarters | Documented Israeli Security Ties |
|---|---|---|---|
| Kape Technologies | ExpressVPN, CyberGhost, PIA | UK / Israel | Founded by Teddy Sagi; Unit 8200 links. |
| Aura (Pango) | Hotspot Shield, Betternet | United States | Israeli software origins; local dev hub. |
| Nord Security | NordVPN, Surfshark, NordLayer | Netherlands / Lithuania | None; Lithuanian incubator origins. |
| Ziff Davis | IPVanish, StrongVPN, Perimeter 81 | United States | Perimeter 81 was an Israeli startup acquisition. |
Data sources: 5
In 2024, Ziff Davis (which owns IPVanish) acquired Perimeter 81, a major Israeli cloud security firm, further integrating the Israeli cybersecurity hub into the US-dominated VPN market.6 Surfshark remains distinct from these networks, maintaining a Lithuanian-Dutch corporate identity and infrastructure that does not appear to share back-end resources or management with the Israeli-linked firms.
Surfshark’s operations are guided by a series of transparency and human rights initiatives that often place it in opposition to the surveillance goals of militarized states.
Surfshark is a founding member of the VPN Trust Initiative, an industry group dedicated to establishing safety and transparency standards.11 This involvement requires the company to undergo independent assessments and maintain public warrant canaries. For an entity engaged in secret military or intelligence cooperation, such commitments would represent a significant operational risk.11
The company’s research hub monitors internet censorship and surveillance worldwide. Their “Internet Shutdown Tracker” provides real-time data on state-ordered disruptions, which are frequently used during military operations or periods of civil unrest.9 By partnering with digital rights watchdogs like NetBlocks and Access Now, Surfshark contributes to a global effort to expose state-sponsored digital repression.11
In one specific case study, the Digital Security Helpline (supported by Surfshark partner Access Now) investigated the use of Pegasus spyware against a group of activists that included Israeli journalists and activists.32 This highlights Surfshark’s role as a provider of tools and research that actively assist individuals targeted by the Israeli surveillance apparatus.
The logistics of Surfshark’s presence in Tel Aviv are purely commercial and typical of high-traffic network providers.
Surfshark operates under Autonomous System Number AS209854, registered to “Cyberzone (Surfshark)”.17 In Israel, this ASN routes traffic through major Tier-1 and Tier-2 providers to ensure high-speed connectivity.
| Metric | Detail | Logistical Significance |
|---|---|---|
| ASN | AS209854 | Indicates self-managed routing for privacy. |
| IP Count | ~3,881 (Global) | Large pool for obfuscating user activity. |
| IPv4 Ranges | 2.59.202.0/24, 2.59.203.0/24 | Specific blocks used for Tel Aviv exit nodes. |
| Core Networks | DataCamp, GTT, HostRoyale | Third-party dependencies for transit. |
Data sources: 17
The reliance on DataCamp—a UK-based hosting provider with a significant global footprint—suggests that Surfshark’s infrastructure in Tel Aviv is likely part of a standardized “point of presence” (PoP) model used across its 100+ country locations.3 This model is designed for consumer scalability rather than discrete institutional supply.
A final layer of forensic analysis examines whether Surfshark’s marketing strategies indicate an intent to support or profit from the militarized context of the region.
Reviewing Surfshark’s regional marketing, the focus remains consistently on “unlimited devices,” “streaming access,” and “online privacy”.7 There are no campaigns targeted at security personnel, no “soldiers’ discounts,” and no mention of the product’s utility in military communication or prison administration. The product is marketed as an “all-in-one cybersecurity suite” for the average citizen.7
While the company maintains political neutrality in most regions, its clear stance against Russian aggression in Ukraine serves as a baseline for its geopolitical engagement.13 The absence of a similar stance or material support for the Israeli military—despite its physical presence in the country—suggests that Surfshark views its Israeli operations as a purely commercial endeavor focused on the civilian market.
