Table of Contents
Surfshark is a Lithuanian-founded, Netherlands-incorporated consumer VPN and cybersecurity software company, operating since 2022 as a subsidiary brand within the Nord Security group. This dossier assesses its conduct across four BDS-1000 domains — military, digital, economic, and political — against publicly available evidence current to 2026-04-30.
The aggregate BDS-1000 score of 47 (Tier E) reflects the lowest tier of identified involvement. No military, defence-contracting, dual-use hardware, or settlement infrastructure relationship has been identified in any source class. The modest score is driven by three equally low-weight signals: a standard commercial VPN exit node in Israel (V-DIG), global subscription sales accessible to Israeli users (V-ECON), and a documented asymmetry in Surfshark’s public communications infrastructure — the company operates Gaza-relevant tracking tools but issued no conflict-adjacent statements during the October 2023 conflict and its aftermath (V-POL). Each signal is assessed as commercially routine or passively neutral; none approaches material complicity under the BDS-1000 rubric.
The principal evidence limitations are: the identity of Surfshark’s Israeli exit-node sub-contractor (undisclosed); the physical versus virtual status of that node; and the absence of full beneficial-ownership disclosure for the post-merger Nord Security group. These gaps are noted throughout the domain summaries and are assessed as unlikely to alter tier classification on available evidence, though they would require resolution in any live audit.
| Date | Event |
|---|---|
| 2018 | Surfshark founded by Vytautas Kaziukonis; incorporated in the British Virgin Islands and as Surfshark B.V. in the Netherlands 1 |
| 2019–2021 | Surfshark expands globally; publishes Internet Shutdown Tracker and Censorship Radar as civic-facing research tools 2 3 |
| October 2021 | Nord Security raises USD 100M at USD 1.6B valuation; Warburg Pincus identified as institutional investor 4 |
| February 2022 | Surfshark and Nord Security announce and complete merger; both brands continue operating under the Nord Security group umbrella; entities domiciled in Lithuania and the Netherlands 5 6 |
| 2022 | Surfshark publishes conflict-responsive blog content addressing internet shutdowns in Russia and Iran 7 |
| 2023 | Deloitte completes independent no-logs audit of Surfshark; Cure53 publishes penetration-testing report 8 9 |
| October 2023 | Hamas attacks on Israel (7 October); Israeli military campaign in Gaza commences; Surfshark’s own tracking tools document communications disruptions in Gaza; no corporate statement issued 7 10 |
| October 2023–April 2026 | No Surfshark corporate statement on the Israel-Palestine conflict identified across any public channel 7 |
| 2026-05-01 | BDS-1000 audit completed; score: 47, Tier E |
Surfshark B.V. was incorporated in the Netherlands in 2018 by Vytautas Kaziukonis, a Lithuanian national, with an original British Virgin Islands holding entity.1 Its commercial product range encompasses a VPN service, antivirus suite, data breach monitoring (Alert), identity protection tools, the Incogni data removal service, and the CleanWeb ad and tracker blocker.11 All products are delivered as digital subscriptions with no physical goods at any stage of the commercial chain.
In February 2022, Surfshark completed a merger with Nord Security — parent of NordVPN — forming a combined group under which both brands operate independently while sharing group-level governance.5 6 The merged group’s primary operational and engineering hub is in Vilnius, Lithuania, with legal entities also registered in the Netherlands (Cyberspace B.V.) and the UK (Surfshark Ltd, Companies House number 11621280).12 Nord Security’s majority ownership is held by its Lithuanian co-founders; an October 2021 funding round was led by Warburg Pincus.4 Verdane Capital, a Nordic/European private equity fund, provided earlier growth equity to Surfshark prior to the merger.13 No Israeli-origin venture capital, state ownership, or sovereign wealth fund participation has been identified in public filings.
The company distributes subscriptions globally through its own website and major app stores, using Nexway (a French-headquartered firm) as its e-commerce and payment processing partner. It operates a RAM-only, diskless server architecture across approximately 100 countries, including an Israel-designated exit node.14 15 Third-party security assurance is provided by Cure53 (Berlin) and Deloitte.8 9 Surfshark publishes periodic transparency reports covering government data requests and maintains a warrant canary.16 17
The V-MIL domain assesses whether a company is involved in direct defence contracting, dual-use hardware supply, construction or infrastructure in occupied territories, supply chain integration with defence primes, logistical sustainment of military bases, or munitions and weapons system development.
Across all six sub-categories of the V-MIL rubric, the audit returns a null finding. Surfshark’s business model is entirely software-based — consumer and SME-oriented VPN protocols, cybersecurity suites, and privacy tools distributed through commercial app stores and direct subscription sales. It manufactures no physical product, no hardware, and no ruggedised or military-specified variant of any kind. This structural characteristic renders the vast majority of V-MIL sub-categories inapplicable by design.
On direct defence contracting, no contract, tender award, framework agreement, or memorandum of understanding between Surfshark and the Israeli Ministry of Defence, Israel Defence Forces, Israel Prison Service, Israel Border Police, or any other Israeli state security body has been identified in any procurement database, corporate disclosure, or press reporting. A full-text search of the Israeli Government Procurement Portal (mr.gov.il) returned a null result for Surfshark.1 Surfshark does not appear in the SIBAT (Israel Defence Export and Defence Cooperation Directorate) public-facing export directory, in Israeli defence exhibition catalogues including ISDEF or HLS & Cyber Israel, or in any defence procurement registry in connection with Israeli state contracts.1
On dual-use products, the V-MIL rubric’s domain boundary test asks whether a product’s designed output produces a targeting decision or weapons effect. The result is negative across all Surfshark products. VPN tunnelling, antivirus scanning, data breach alerting, and tracker blocking are not purpose-built to enable kinetic military effects and have no identified weapons-integration application. No tactical or military-specified product variant has been identified in any product catalogue, patent filing, or trade press coverage. Searches of the USPTO, EPO, and Israeli Patent Office patent databases returned no Surfshark filing in any defence-relevant technology class.1
On supply chain integration with Israeli defence primes — Elbit Systems, Israel Aerospace Industries, Rafael Advanced Defense Systems, and Israel Military Industries — the annual reports and supplier disclosures of each firm (2020–2024) contain no Surfshark supply relationship. Surfshark produces no optical systems, electronic sub-assemblies, propulsion components, structural materials, guidance systems, communication modules, or armour materials. As a software-only entity, it does not participate in the physical sub-assembly supply chains that characterise defence prime relationships.1 5
On construction and settlement infrastructure, Surfshark has no hardware, machinery, vehicle, or construction equipment product line. It has no verified presence in any construction, demolition, or infrastructure activity within Israeli settlements, the separation barrier, military installations, or occupied territories. It does not appear in the Who Profits Research Center database, in UN OCHA or UN Special Rapporteur on OPT reports from 2020 to 2025, in Amnesty International corporate accountability reports from 2021 to 2024, or in Human Rights Watch reports on corporate involvement in occupied territories from 2020 to 2024.18 19
On logistical sustainment, Surfshark operates in no catering, transport, fuel supply, waste management, facilities maintenance, telecommunications infrastructure, shipping, freight forwarding, or port handling capacity. No service contract between Surfshark and any IDF base, military training facility, detention centre, or security installation has been identified in any source class, including the Israeli government procurement portal, LinkedIn corporate profile data, or technology press coverage from 2019 to 2025.1
On munitions and weapons systems, Surfshark has no verified role as a prime contractor or licensed manufacturer of any lethal system, munitions, precursor material, or strategic defence platform. It has no identified involvement in Iron Dome, David’s Sling, Arrow, fighter aircraft programmes, main battle tank supply chains, warships, or ballistic missile systems. The SIPRI Arms Transfers Database contains no Surfshark transfer or licensing arrangement.20
The V-MIL score — 0.00 across Impact, Magnitude, and Proximity — follows directly from these null findings. The rubric’s Band 0.0 (None: No Measurable Kinetic Impact) applies across all three criteria. No scoring adjustment is warranted.
The strongest challenge to a zero V-MIL score would be a claim that Surfshark’s commercial VPN service, though not purpose-built for military use, could be used by Israeli military or security personnel as individual subscribers. This is structurally true of any commercial VPN and does not constitute a defence supply relationship. The rubric’s domain boundary test and the explicit distinction between consumer access and institutional military procurement prevent this from affecting the score. No evidence of institutional or contract-based military supply has been identified.
A second challenge concerns internal IT tooling. Surfshark does not publish a comprehensive software bill of materials for its internal enterprise environment. It is therefore not possible to fully exclude the use of Israeli-origin security software in back-office functions from public sources. However, this hypothetical back-office relationship — even if confirmed — would fall within V-DIG rather than V-MIL and would not produce a kinetic military effect.
A third challenge is the possibility of undisclosed contracts not captured in public procurement databases. While no mechanism can definitively exclude covert procurement, the SIBAT absence, the null Israeli procurement portal result, the SIPRI null result, and the absence of any NGO investigation all corroborate a nil finding. The convergence of multiple independent null results across different source classes substantially raises the credibility of the zero score.
No finding currently available in the supplied audits or scoring file would materially change the V-MIL score. The software-only business model structurally excludes I-MIL relevance under the rubric’s explicit scope definition.
| Entity | Type | Relationship to Surfshark | Evidence |
|---|---|---|---|
| Israeli Ministry of Defence (IMOD) | Israeli state body | No contract or relationship identified | Null — procurement portal, SIBAT 1 |
| Israel Defence Forces (IDF) | Israeli military | No contract or relationship identified | Null — all source classes |
| SIBAT | Israeli defence export directorate | No Surfshark listing | Null 1 |
| Elbit Systems | Israeli defence prime | No supply relationship | Annual reports 2020–2024 1 |
| Israel Aerospace Industries (IAI) | Israeli defence prime | No supply relationship | Annual reports 2020–2024 1 |
| Rafael Advanced Defense Systems | Israeli defence prime | No supply relationship | Annual reports 2020–2024 1 |
| SIPRI | Arms transfer database | No Surfshark entry | SIPRI Arms Transfers Database 20 |
| Who Profits Research Center | NGO database | No Surfshark entry | Who Profits database 18 |
| Amnesty International | NGO | No Surfshark mention in OPT corporate reports | Amnesty reports 2021–2024 19 |
| Human Rights Watch | NGO | No Surfshark mention in OPT corporate reports | HRW reports 2020–2024 21 |
The V-DIG domain assesses relationships with Israeli-origin enterprise software vendors, surveillance and biometric technology, cloud infrastructure and sovereign cloud participation, defence and intelligence sector technology contracts, AI and autonomous systems provision, and R&D or acquisition footprint in Israel.
The dominant V-DIG signal for Surfshark is the operation of an Israel-designated VPN exit node in its global server network.14 This node is listed on Surfshark’s publicly accessible server directory alongside approximately 100 other country-level locations. The node enables Surfshark subscribers anywhere in the world to route their encrypted traffic through an Israeli IP address — a standard commercial feature of any global VPN service. It does not constitute a data centre, primary co-location facility, or sovereign cloud deployment owned by Surfshark in Israel.
The technical architecture of this node matters to the scoring analysis. Surfshark operates a RAM-only, diskless server fleet, meaning no persistent user data is written to storage at any node, including the Israeli one.15 This significantly limits the data sovereignty and state-access risk that might otherwise elevate the score. The published transparency report confirms that Surfshark logs government data requests in aggregate but does not itemise them by country.16 The identity of the specific Israeli co-location or hosting provider supplying physical rack space for the exit node is not publicly disclosed — a material evidence gap addressed in the counter-arguments section.
On Israeli-origin software procurement, no licensing, subscription, or technology integration relationship between Surfshark and Israeli-origin cybersecurity vendors — including Check Point Software Technologies, Wiz, SentinelOne, CyberArk, NICE Ltd, Verint Systems, Claroty, or AnyVision/Oosto — has been identified in any corporate filing, press release, partnership announcement, or third-party audit report.1 11 Palo Alto Networks, while Israeli-founded, is a US-domiciled corporation; no Surfshark customer or integration relationship with that firm has been identified either.
Surfshark’s documented security vendor relationships are with two non-Israeli firms. Cure53, a Berlin-based penetration testing firm, has audited Surfshark’s infrastructure, with results published in a public report.8 9 Deloitte conducted an independent no-logs policy audit in 2023, independently verifying that Surfshark does not retain user connection logs.8 These disclosures represent an above-average transparency standard for the consumer VPN sector.
On surveillance and biometric technology, Surfshark’s product portfolio — VPN, antivirus, data breach monitoring, private search, and CleanWeb tracker blocking — is designed for consumer privacy enhancement, not population surveillance or behavioural monitoring.11 No relationship with Trigo, BriefCam, AnyVision/Oosto, or Trax has been identified. This conclusion is consistent with Amnesty International and Human Rights Watch surveillance-technology assessments, neither of which identifies Surfshark in the context of surveillance technology provision.19 21
On Project Nimbus and sovereign cloud participation, Surfshark is not a hyperscale cloud provider and does not offer infrastructure-as-a-service products. No Surfshark participation in Project Nimbus — the USD 1.2 billion cloud infrastructure contract awarded jointly to Google Cloud and AWS by the Israeli government and military22 — or in any comparable Israeli state-backed programme has been identified.23
On AI and autonomous systems, Surfshark’s publicly documented AI and machine learning features are limited to consumer-facing functions: AI-driven malware detection and automated server-load optimisation for VPN routing.11 No provision of AI or ML systems to Israeli state bodies, military agencies, or law enforcement entities has been documented. Surfshark does not produce autonomous targeting, fire-control, drone guidance, or weapons-effects systems.
On R&D footprint, no Surfshark or Nord Security group R&D facility, engineering office, or accelerator programme operating within Israel has been identified. The group’s documented engineering and R&D presence is concentrated in Vilnius, Lithuania, and Amsterdam, Netherlands.5 6 24 No acquisition of an Israeli-origin technology company or strategic investment in Israeli technology start-ups has been identified.
The V-DIG scoring places Impact at 2.50 (Band 2.1–3.0: Commercial Compliance and Consumer Services), Magnitude at 1.50 (Band 1.0–2.0: Incidental/Commodity), and Proximity at 7.50 (Band 7.5–8.2: Direct commercial contract). The V-DIG domain score is 0.54. The Impact band reflects that Surfshark is providing a standard consumer service — not a bespoke tool sold to the Israeli state. The Magnitude band reflects that the Israeli node is one of approximately 100 and carries no identified strategic significance. The Proximity band reflects that Surfshark is the direct service provider regardless of whether a sub-contractor operates the physical rack.
The most significant evidence gap in V-DIG is the identity of the Israeli exit-node sub-contractor. Surfshark does not publicly disclose the data centre operator or network transit provider enabling its Israeli server. If that sub-contractor has Israeli state or defence connections — for example, if the rack is housed in a facility with IDF or intelligence service ties — that would be a material fact affecting the depth of the commercial relationship, though it would not change the Impact band classification (2.1–3.0) because Surfshark’s own service offering remains a consumer VPN product.
A related question is whether the Israeli node is physically co-located within Israel or is a virtual routing arrangement (where the Israeli IP address is assigned by a transit provider without physical hardware in the country). Physical co-location would confirm a direct commercial property relationship with an Israeli hosting entity; a virtual node would indicate only a transit or IP-leasing arrangement. Surfshark does not publicly specify this for any country in its network.14 Resolving this gap would require either a direct technical audit of Surfshark’s hosting provider contracts or a disclosure request. It does not alter the rubric band on available evidence.
A third challenge is the possibility that Surfshark’s internal enterprise IT stack includes Israeli-origin endpoint detection or security tooling that is not publicly disclosed. Surfshark does not publish a comprehensive vendor disclosure or software bill of materials for its back-office environment. Equally, following the 2022 merger, some procurement decisions may be made at the Nord Security group level.5 Group-level vendor relationships are not comprehensively disclosed.13 These are real but inherently unverifiable gaps from public sources.
For the score to change materially in V-DIG, one or more of the following would need to be confirmed: a bespoke technology contract with an Israeli state or military body; Israeli-origin surveillance technology embedded in Surfshark’s product or infrastructure stack; or participation in a state-directed data sharing arrangement with Israeli authorities. None of these has been identified.
| Entity | Type | Relationship to Surfshark | Evidence |
|---|---|---|---|
| Surfshark B.V. | Company (Netherlands) | Primary legal entity | KVK registration 1 |
| Nord Security | Parent group (Lithuania) | Post-2022 merger parent | TechCrunch, The Verge 5 6 |
| Cyberspace B.V. | Netherlands holding entity | Post-merger European corporate vehicle | Merger disclosures 5 6 |
| Cure53 | Security audit firm (Germany) | Published penetration test reports | Cure53 publications 8 9 |
| Deloitte | Audit firm | No-logs policy audit, 2023 | Surfshark blog 8 |
| Nexway | E-commerce/payments (France) | Subscription payment processing | Corporate documentation 1 |
| Israeli VPN exit node | Infrastructure | One of ~100 global commercial nodes; sub-contractor undisclosed | Surfshark server list 14 |
| Project Nimbus | Israeli state cloud contract | No Surfshark involvement identified | Guardian, Reuters 22 23 |
| Check Point, Wiz, SentinelOne, CyberArk, Verint, AnyVision | Israeli-origin tech vendors | No procurement relationship identified | Null across all sources |
| Amnesty International | NGO | Does not name Surfshark in surveillance-tech reports | Amnesty tech pages 19 |
| Human Rights Watch | NGO | Does not name Surfshark in surveillance-tech reports | HRW tech pages 21 |
| BDS National Committee | Civil society | Does not list Surfshark as a target | BDS technology pages 25 |
| PACBI | Civil society | Does not list Surfshark as a named target | PACBI 26 |
The V-ECON domain assesses supply chain and sourcing relationships with Israeli or settlement-origin goods, investment and capital flows into Israeli or occupied-territory assets, operational presence and employment in Israel, corporate structure and foundational ties to the Israeli economy, and profit repatriation to Israeli-linked beneficial owners.
Surfshark’s digital-only business model renders the physical goods sub-categories of V-ECON structurally inapplicable. The company sources no physical goods, imports no agricultural or manufactured products, and has no supply chain relationship with settlement-origin produce exporters such as Mehadrin, Hadiklaim, Galilee Export, or Agrexco.1 11 EU, UK, and US country-of-origin labeling regimes — which apply to physical products originating in Israeli settlements — have no application to digital subscription services. No enforcement actions, regulatory citations, or import detentions related to product labeling have been identified in any jurisdiction.
On investment and capital flows, no acquisitions, joint ventures, data centres under direct ownership, or real estate holdings operated by Surfshark or Nord Security within Israeli or occupied-territory jurisdictions have been documented in any public filing, press database, or NGO financial tracking report.1 5 No Israeli R&D facilities, accelerator participation, or technology partnerships with Israeli academic or state institutions have been identified. The group’s disclosed R&D and engineering operations are concentrated in Vilnius, Lithuania, with additional teams in the Netherlands and Poland.5 6
On beneficial ownership, Surfshark was founded by Vytautas Kaziukonis, a Lithuanian national, and merged with a Lithuanian-founded group (Nord Security) in 2022.1 5 Prior to the merger, Surfshark received growth equity investment from Verdane Capital, a Nordic/European private equity fund headquartered in Oslo, Norway.13 The 2021 Nord Security funding round was led by Warburg Pincus, a US-based private equity firm.4 No Israeli private equity, venture capital, or sovereign wealth fund ownership is documented in any available source. No beneficial owner with documented primary investment exposure to the Israeli economy has been identified in public filings, Crunchbase records, or press coverage.
On operational presence, no offices, sales operations, customer-support centres, or retail locations operated by Surfshark or Nord Security within Israel or the occupied territories have been documented.1 24 LinkedIn data reflects employee concentrations in Lithuania, the Netherlands, Ukraine, and Poland; no Israeli employee population is disclosed in any public record.24 No Israeli workforce, payroll registration, or corporate tax filing by Surfshark or Nord Security within the Israeli jurisdiction has been identified.
On VPN server presence, Surfshark advertises server coverage across approximately 100 countries. As noted in V-DIG, the presence of rented server capacity in a country represents a standard operational feature for VPN providers relying on third-party data centre contracts and does not constitute direct investment or an operational presence equivalent to a corporate office or subsidiary. No confirmed documentation specifically identifying the Israeli server node’s hosting provider or confirming physical co-location within Israel was identified in the V-ECON audit.
The V-ECON scoring places Impact at 2.50 (Band 2.1–3.0: Direct Sales) reflecting global subscription sales accessible to Israeli subscribers through Surfshark’s standard commercial channel. Magnitude is 1.50 (Band 1.0–2.0: Incidental/Commodity) reflecting that Israel is one of over 100 global markets with no dedicated Israeli sales infrastructure, no local employees, no offices, and no tax registration. Proximity is 7.50 (Band 7.5–8.2: Direct commercial contract) because Surfshark sells directly to end subscribers through its own website and app stores with no intervening distributor or reseller. The V-ECON domain score is 0.54.
On profit repatriation, no profit flow directed toward Israel is documented. No Israeli-domiciled ownership entity exists within the disclosed corporate chain that would channel profits toward the Israeli economy.27 13 Revenue from Surfshark B.V. (Netherlands) consolidates upward into the Nord Security group entity domiciled in Lithuania. No Israeli limited partner, shareholder, or profit-participation arrangement has been identified in public records.
Surfshark does not appear in the UN Human Rights Council’s database of businesses operating in Israeli settlements (A/HRC/43/71), the Who Profits Research Center database, the Corporate Occupation project, or the BDS Movement company database.18 28 29 25
The principal challenge to the V-ECON assessment is the incomplete beneficial-ownership picture of the post-merger Nord Security group. The merged entity’s full corporate governance structure, board composition, and shareholder agreement are not publicly filed in a searchable registry. BVI original incorporation records are similarly inaccessible given BVI’s limited public company registry. It is therefore not possible to fully exclude minority investors with incidental Israeli market exposure without access to full ownership records.
A secondary gap concerns Verdane Capital’s full limited partner and portfolio disclosures, which have not been cross-referenced against Israeli market assets. This is assessed as a secondary-level gap unlikely to be material on available evidence: Verdane Capital is a Nordic-focused fund with no identified Israeli market exposure in its public disclosures, and the gap would need to close substantially before it could affect the V-ECON score.
A third question is whether Israeli subscribers represent a commercially meaningful share of Surfshark’s global revenue. No Israel-specific revenue is disclosed. Given the global subscriber base, the structural indicators — no dedicated pricing, no local sales team, no local entity — all point to an economically negligible share. For the V-ECON score to change materially, one or more of the following would need to be confirmed: a dedicated Israeli sales or distribution entity; a formal joint venture or R&D partnership with an Israeli institution; or an Israeli beneficial ownership stake in Nord Security. None of these has been identified.
| Entity | Type | Relationship to Surfshark | Evidence |
|---|---|---|---|
| Surfshark B.V. | Legal entity (Netherlands) | Primary revenue-generating entity | KVK filings 1 |
| Surfshark Ltd | Legal entity (UK) | UK-registered entity, Companies House 11621280 | Companies House 30 |
| Nord Security | Parent group (Lithuania) | Post-merger consolidation entity | TechCrunch, Verge 5 6 |
| Vytautas Kaziukonis | Individual (founder/CEO) | Lithuanian national; no Israeli economic ties | Crunchbase 31 |
| Verdane Capital | PE fund (Norway) | Pre-merger growth equity investor | Crunchbase 13 |
| Warburg Pincus | PE fund (USA) | 2021 Nord Security funding round | Bloomberg 4 |
| Lithuanian Companies Register | Registry | Nord Security domicile registration | Registrų Centras 27 |
| Who Profits Research Center | NGO database | No Surfshark entry | Who Profits 18 |
| Corporate Occupation | NGO database | No Surfshark entry | Corporate Occupation 28 |
| BDS Movement | Civil society | No Surfshark company listing | BDS database 25 |
| UN OHCHR (A/HRC/43/71) | UN database | No Surfshark entry | OHCHR 32 |
The V-POL domain assesses corporate communications and public stance on the conflict, operations in contested territories, internal governance and content policy, brand heritage and state partnerships, and lobbying, advocacy financing, and logistics supporting any party to the conflict.
The primary V-POL finding is a documented asymmetry in Surfshark’s public communications. Surfshark operates two publicly available civic-research tools — an Internet Shutdown Tracker2 and a Censorship Radar3 — both of which documented communications disruptions in Gaza following October 2023. Despite this, no corporate statement contextualising those disruptions within the broader conflict was publicly issued. This stands in contrast to Surfshark’s documented practice of publishing conflict-responsive content in other geopolitical contexts: the company produced blog content responding to internet shutdowns in Russia (2022) and Iran (2022), and has published Human Rights Day content and a Digital Quality of Life Index as part of its civic communications infrastructure.7 The absence of equivalent Gaza coverage is not a simple silence — it is a selective omission by an organisation that demonstrably knew the issue was within its monitoring scope and had institutional capacity to address it.
No official corporate statement by Surfshark specifically addressing the Israel-Palestine conflict, the October 7 Hamas attacks, or the subsequent Israeli military campaign in Gaza has been identified in blog archives, press releases, or social media channels covering October 2023 through April 2026.7 Surfshark published no expressions of solidarity directed at either party, no acknowledgment of humanitarian conditions in Gaza or the West Bank, and no policy statement on the conflict. This applies equally to Nord Security’s corporate communications.33
On VPN server presence in Israel, Surfshark lists Israel as a server location in its published server directory.14 The entry is presented as a standard commercial market entry — indistinguishable in framing from any other country-level entry — with no geopolitical caveats or explanatory notes. The directory does not specify whether any physical infrastructure is located within internationally recognised occupied Palestinian territories or Israeli settlements, and no sub-national geographic granularity is provided.14
On lobbying and political financing, a review of US Senate Lobbying Disclosure Act records for both “Surfshark” and “Nord Security” returns no registered lobbying filings.34 OpenSecrets records return no PAC contributions or federal lobbying expenditure entries for Surfshark.35 No material financial support, corporate donations, or sponsorships directed by Surfshark toward parastatal organisations, Israeli settlement infrastructure funds, or military-welfare organisations — including Friends of the IDF/FIDF or the Jewish National Fund/JNF — have been identified in any public record. Equally, no financial support for pro-Palestinian advocacy organisations has been identified. The absence is symmetric.
On crisis asset mobilisation, no instances of Surfshark directing free VPN subscriptions, service credits, or infrastructure access specifically to Israeli state, military, or state-aligned NGO efforts during the October 2023 conflict or its aftermath have been identified. For comparative context, several technology companies publicly announced free service access for residents of Israel and/or Gaza during October–November 2023;36 Surfshark made no equivalent documented announcement in either direction.
On employee relations and platform content policy, Surfshark operates as a VPN service provider rather than a content platform or social media operator, and accordingly maintains no editorial algorithm or user-speech moderation framework in the conventional platform sense. No public reports, legal actions, or documented controversies regarding enforcement of employee speech about the conflict have been identified in Glassdoor reviews (2021–2024) or press coverage.37 Surfshark’s published Privacy Policy and Terms of Service contain no conflict-specific content restrictions flagged by third-party researchers.38
On state honours and brand heritage, Surfshark’s commercial branding is built around consumer privacy and online freedom — not military heritage, defence-sector origins, or state-intelligence positioning.7 No acceptance of state honours from Israel or related entities, no hosted Israeli government officials at corporate events, and no formal partnerships with Israeli state academic or governmental institutions have been identified. No corporate sponsorship of “Brand Israel” campaigns or Israeli state-backed marketing programs has been identified. Surfshark’s documented institutional partnerships are confined to cybersecurity certification bodies and privacy audit engagements.8
The V-POL scoring places Impact at 2.50 (Band 2.1–3.0: The Double Standard / Selective Silence), Magnitude at 1.50 (Band 1.0–2.0: Very Low, inherent to an omission), and Proximity at 8.50 (Band 8.3–8.9: Controller/Architect, because Surfshark is itself the decision-maker over its editorial choices). The V-POL domain score is 0.45. The scoring is deliberately conservative: the asymmetry is evidenced, but there is no active advocacy, no lobbying, no donations, no suppression of staff speech, and no state partnerships. The rubric’s 2.1–3.0 band precisely captures the documented pattern.
The strongest challenge to the V-POL finding is the argument that corporate silence on a conflict is not in itself a political act and that the comparison to Russia and Iran blog posts is too thin a basis for a “double standard” characterisation. This challenge has force: editorial choices about blog topics are governed by many factors beyond geopolitical neutrality, including audience research, SEO strategy, and editorial bandwidth. The scoring file acknowledges this by placing the finding at the lower end of Band 2.1–3.0 (score 2.50) rather than elevating it to Band 3.1–4.0 (active normalisation or state partnership), and the low Magnitude score (1.50) reflects that the political act is a passive omission with limited direct audience reach.
A second challenge is that the absence of a corporate statement is itself unfalsifiable from the outside: Surfshark may have internal policies or legal advice precluding public comment on active conflicts that are unrelated to any pro-Israel orientation. Without internal documentation, the selective nature of the silence cannot be fully confirmed. The finding is therefore characterised as a documented asymmetry, not as evidence of intent.
A third consideration is whether the low VPN usage in Gaza — a market with limited broadband penetration and purchasing power — means that Surfshark’s silence had any material effect on civil society access to information. This is an open question. The scoring does not depend on downstream effect; it assesses the company’s communications conduct against its own stated civic mission.
For the V-POL score to change materially upward, one or more of the following would need to be confirmed: active lobbying or financial contributions to conflict-adjacent organisations; a formal state partnership with an Israeli government body; or suppression of employee or user speech on the conflict. None of these has been identified.
| Entity | Type | Relationship to Surfshark | Evidence |
|---|---|---|---|
| Vytautas Kaziukonis | Founder/CEO | No public conflict statements identified | Crunchbase 31 |
| Tom Okman | Nord Security co-founder | No public conflict statements identified | Nord Security about page 33 |
| Eimantas Sabaliauskas | Nord Security co-founder | No public conflict statements identified | Nord Security about page 33 |
| Warburg Pincus | Institutional investor | No conflict-adjacent public role identified | Bloomberg 4 |
| Internet Shutdown Tracker | Surfshark civic tool | Documented Gaza disruptions; no statement issued | Surfshark research 2 |
| Censorship Radar | Surfshark civic tool | Documented Gaza disruptions; no statement issued | Surfshark research 3 |
| BDS National Committee | Civil society | Does not list Surfshark as a target | BDS target lists 25 |
| FIDF / JNF | Israeli-aligned organisations | No Surfshark donations identified | No public evidence |
| OpenSecrets | US political finance registry | No Surfshark PAC/lobbying entries | OpenSecrets 35 |
| US Senate LDA | Lobbying registry | No Surfshark filings | Senate LDA 34 |
| Deloitte | Audit firm | No-logs audit, civic/governance dimension | Surfshark blog 8 |
| Cybersecurity Excellence Awards | Industry body | Surfshark award recipient; no geopolitical dimension | CyberEx Awards 39 |
Across all four domains, the most systemic evidence limitation is Surfshark’s status as a privately held entity within a post-merger group that does not publish audited consolidated financial accounts or a comprehensive vendor disclosure. The full beneficial-ownership cap table of Nord Security, the identity of Surfshark’s Israeli exit-node sub-contractor, and the complete group-level IT procurement stack are all unverified from public sources. In each case the audit has assessed the gap as unlikely to be material given the structural indicators available — software-only business model, Lithuania/Netherlands domicile, Nordic PE investment — but a live audit with access to internal records would provide greater certainty.
A second systemic limitation is the time-bounded nature of the training data. Evidence gaps that are described as “no public evidence identified” reflect the state of publicly accessible information through 2026-04. New corporate disclosures, procurement database updates, or NGO investigations published after that date could introduce new signals.
A third structural consideration is that Surfshark’s nil V-MIL finding is robust in a way the other nil findings are not: V-MIL’s scope explicitly requires physical products, hardware services, or kinetic logistics, which Surfshark demonstrably does not produce. The V-DIG, V-ECON, and V-POL nil findings in their respective sub-categories rest on the absence of evidence from public sources rather than structural business-model exclusion, and are therefore somewhat less definitive in nature, though they are well corroborated across multiple independent source classes.
| Entity | Type | Domain(s) | Significance |
|---|---|---|---|
| Surfshark B.V. | Company — Netherlands | All | Primary legal and revenue entity |
| Surfshark Ltd | Company — UK | V-ECON, V-POL | UK registered entity (Companies House 11621280) |
| Nord Security | Parent group — Lithuania | All | Post-2022 merger parent; controls group governance |
| Cyberspace B.V. | Netherlands holding entity | V-DIG, V-ECON | Post-merger European corporate vehicle |
| Vytautas Kaziukonis | Individual — founder/CEO | V-ECON, V-POL | Lithuanian national; no Israeli ties identified |
| Tom Okman | Individual — Nord Security co-founder | V-POL | No conflict-adjacent statements or donations identified |
| Eimantas Sabaliauskas | Individual — Nord Security co-founder | V-POL | No conflict-adjacent statements or donations identified |
| Warburg Pincus | PE fund — USA | V-ECON, V-POL | 2021 institutional investor; no Israeli exposure identified |
| Verdane Capital | PE fund — Norway | V-ECON | Pre-merger Surfshark growth equity; full LP list unverified |
| Cure53 | Security auditor — Germany | V-DIG | Published pentest reports; no Israeli connection |
| Deloitte | Audit firm | V-DIG, V-POL | 2023 no-logs policy audit |
| Israeli VPN exit node | Infrastructure | V-DIG, V-ECON | One of ~100 commercial nodes; sub-contractor undisclosed |
| Internet Shutdown Tracker | Civic tool (Surfshark) | V-POL | Documented Gaza disruptions; no statement issued |
| Censorship Radar | Civic tool (Surfshark) | V-POL | Documented Gaza disruptions; no statement issued |
| SIBAT | Israeli defence export directorate | V-MIL | No Surfshark listing |
| Elbit Systems | Israeli defence prime | V-MIL | No supply relationship |
| IAI | Israeli defence prime | V-MIL | No supply relationship |
| Rafael Advanced Defense Systems | Israeli defence prime | V-MIL | No supply relationship |
| SIPRI Arms Transfers Database | International database | V-MIL | No Surfshark entry |
| Who Profits Research Center | NGO database | V-MIL, V-ECON | No Surfshark entry |
| BDS National Committee | Civil society | V-DIG, V-ECON, V-POL | Does not list Surfshark |
| PACBI | Civil society | V-DIG | Does not list Surfshark |
| UN OHCHR B-list (A/HRC/43/71) | UN database | V-ECON | No Surfshark entry |
| Domain | I | M | P | V-Score |
|---|---|---|---|---|
| V-MIL | 0.00 | 0.00 | 0.00 | 0.00 |
| V-DIG | 2.50 | 1.50 | 7.50 | 0.54 |
| V-ECON | 2.50 | 1.50 | 7.50 | 0.54 |
| V-POL | 2.50 | 1.50 | 8.50 | 0.54 |
Composite BDS-1000 Score: 47 — Tier E (0–199)
The V-MIL zero score follows from a software-only business model that structurally excludes all physical and kinetic criteria in the rubric’s Band 0.0 definition. The three non-zero domain scores are equal at 0.54, each reflecting the same underlying pattern: a low-Impact consumer commercial relationship (Band 2.1–3.0), very low Magnitude (one of ~100 global markets or an omission with limited reach), and high Proximity because Surfshark is the direct service provider or direct decision-maker in each case. The composite formula applies a 0.2 discount to the two supporting domain scores relative to the leading score, producing a final BRS of 47.
V-MIL — High confidence. The null finding is robustly cross-validated across SIPRI, Who Profits, SIBAT, NGO databases, and patent registries. The software-only business model structurally excludes I-MIL relevance. No finding currently available could materially change this score.
V-DIG — Moderate confidence. The key unresolved questions are: (1) the identity of the Israeli exit-node sub-contractor; (2) whether that node is physically co-located within Israel or is a virtual routing arrangement; and (3) whether the Nord Security group-level IT procurement stack includes undisclosed Israeli-origin software. None of these gaps is assessable from public sources alone. In no reasonably foreseeable scenario would resolving them change the Impact band from 2.1–3.0 to a higher band, but they could affect the granular characterisation of the Proximity relationship.
V-ECON — High confidence. The corporate structure (Netherlands/Lithuania domicile, Norwegian and US PE investment, Lithuanian founders) is well-evidenced across multiple independent sources. The absence of Israeli FDI, R&D, or physical presence is cross-validated by Who Profits, the UN OHCHR B-list, BDS databases, and Crunchbase. The residual gap (Verdane Capital full LP list) is assessed as unlikely to be material. Open question: Verdane Capital’s complete LP and portfolio disclosures have not been cross-referenced against Israeli market assets.
V-POL — Moderate confidence. The selective-silence finding is grounded in documented evidence — the company operates Gaza-relevant tracking tools and has published conflict-adjacent content for other geopolitical events, yet issued nothing on Gaza — but the inference of a “double standard” cannot exclude alternative editorial explanations (legal caution, audience prioritisation, editorial bandwidth). The finding is conservatively scored. Open question: whether Surfshark has any unpublished internal policy on conflict coverage that would explain the asymmetry without implying selective deference to one party.
Composite — High confidence that the score accurately represents a very low level of identified involvement. The Tier E classification is stable across all reasonably foreseeable resolutions of the documented evidence gaps.
The following recommendations are grounded in the validated score of 47 (Tier E) and the specific evidence gaps identified in the audit. They are proportionate to the low level of identified involvement and should be revised upward only if new evidence resolves current gaps in a materially adverse direction.
For procurement officers and institutional buyers: Surfshark’s BDS-1000 score of 47 (Tier E) does not trigger exclusion thresholds under standard BDS-aligned procurement policies, which typically apply from Tier D (200–399) upward. Standard commercial engagement may proceed without specific BDS-related conditions. A recommended due-diligence action is to request disclosure of the Israeli exit-node sub-contractor identity before finalising any contract, solely to resolve the V-DIG evidence gap.
For civil society monitors and researchers: The most productive investigative target is the Israeli exit-node sub-contractor. Identifying whether the hosting provider has Israeli state or defence connections — via a technical audit, a disclosed data-centre provider relationship, or a regulatory filing — would either confirm the current Band 2.1–3.0 characterisation or potentially elevate it. The V-POL selective-silence finding would benefit from a longitudinal review of Surfshark’s full blog and press-release archive to strengthen or qualify the asymmetry analysis.
For Surfshark itself: The V-POL selective-silence finding creates a minor but real reputational inconsistency between Surfshark’s stated civic mission (internet freedom, anti-censorship) and its communications practice during the Gaza conflict. Publishing a transparent statement on how the company’s civic research tools apply to the Israel-Palestine context — without necessarily taking a political position — would resolve this inconsistency and reduce the documented asymmetry. Separately, disclosing the identity of the Israeli exit-node hosting provider in the server list would resolve the V-DIG evidence gap at no operational cost.
For investors and ESG analysts: The score of 47 (Tier E) is consistent with a consumer software company whose Israeli-market footprint is commercially negligible and structurally equivalent to any other of its approximately 100 global markets. No material ESG risk is indicated by the current evidence base. The residual uncertainties (exit-node sub-contractor, full beneficial-ownership disclosure) are standard private-company disclosure gaps and do not independently constitute ESG concerns at this score level.
Surfshark corporate overview — https://surfshark.com/about-us ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
Surfshark Internet Shutdown Tracker — https://surfshark.com/research/internet-shutdown-tracker ↩↩↩
Surfshark Censorship Radar — https://surfshark.com/research/censorship-tracker ↩↩↩
Nord Security USD 100M funding round — https://www.bloomberg.com/news/articles/2021-10-06/nord-security-raises-100-million-in-first-outside-funding ↩↩↩↩↩
Nord Security–Surfshark merger announcement — https://techcrunch.com/2022/02/01/surfshark-and-nord-security-merge/ ↩↩↩↩↩↩↩↩↩↩↩
Nord Security–Surfshark merger detail — https://www.theverge.com/2022/2/1/22912068/nord-security-surfshark-merger-vpn ↩↩↩↩↩↩↩
Surfshark Deloitte no-logs audit — https://surfshark.com/blog/deloitte-audit ↩↩↩↩↩↩↩↩
Cure53 penetration test report — https://cure53.de/pentest-report_surfshark.pdf ↩↩↩↩
Surfshark transparency report — https://surfshark.com/transparency-report ↩
Surfshark infrastructure overview — https://surfshark.com/blog/surfshark-infrastructure ↩↩↩↩↩
Surfshark Ltd — UK Companies House — https://find-and-update.company-information.service.gov.uk/company/11621280 ↩
Surfshark Crunchbase profile — https://www.crunchbase.com/organization/surfshark ↩↩↩↩↩
Surfshark global server list — https://surfshark.com/servers ↩↩↩↩↩↩
Surfshark RAM-only server architecture — https://surfshark.com/blog/ram-only-servers ↩↩
Surfshark warrant canary — https://surfshark.com/warrant-canary ↩↩
Surfshark privacy policy — https://surfshark.com/privacy/privacy-policy ↩
Amnesty International technology pages — https://www.amnesty.org/en/technology/ ↩↩↩↩
SIPRI Arms Transfers Database — https://www.sipri.org/databases/armstransfers ↩↩
Human Rights Watch technology and rights — https://www.hrw.org/topic/technology-and-rights ↩↩↩
Project Nimbus reporting — https://www.theguardian.com/technology/2021/oct/12/google-amazon-israel-project-nimbus-military-contract ↩↩
Project Nimbus protests — https://www.reuters.com/technology/google-workers-arrested-protest-project-nimbus-2024-04-18/ ↩↩
Surfshark LinkedIn company profile — https://www.linkedin.com/company/surfshark/ ↩↩↩
BDS Movement technology companies — https://bdsmovement.net/technology-companies ↩↩↩↩
PACBI — https://pacbi.org/ ↩
Lithuanian Companies Register — https://www.registrucentras.lt/ ↩↩
Corporate Occupation project — https://corporateoccupation.org/ ↩↩
BDS Movement company database — https://bdsmovement.net/ ↩
Surfshark Ltd Companies House search — https://find-and-update.company-information.service.gov.uk/search?q=surfshark ↩
Vytautas Kaziukonis Crunchbase profile — https://www.crunchbase.com/person/vytautas-kaziukonis ↩↩
UN OHCHR settlement business database — https://www.ohchr.org/en/hr-bodies/hrc/sessions/database-business-activities ↩
Nord Security about page — https://nordsecurity.com/about ↩↩↩
US Senate Lobbying Disclosure Act database — https://lda.senate.gov/system/public/ ↩↩
OpenSecrets Surfshark search — https://www.opensecrets.org/search?q=surfshark ↩↩
VPN surge Israel-Gaza reporting — https://restofworld.org/2023/vpn-surge-israel-gaza-october-7/ ↩
Surfshark Glassdoor reviews — https://www.glassdoor.com/Reviews/Surfshark-Reviews-E3606255.htm ↩
Surfshark terms of service — https://surfshark.com/terms-of-service ↩
Cybersecurity Excellence Awards — Surfshark — https://cybersecurity-excellence-awards.com/candidates/surfshark/ ↩
