Meet NordSec: The company behind NordVPN wants to be your one-stop privacy suite
The company behind NordVPN has big plans to offer a threat protection suite, a “different kind of antivirus system,” and protect your privacy at the edge of a network. But before that vision becomes reality, NordSec, the company that counts NordVPN as its flagship, will have to win over consumers and businesses to expand.
Welcome to our in-depth look at the folks behind NordVPN. As the company moves into a broader range of security products, we felt it was important to understand the company’s offerings and, perhaps more important, the company’s background and legal foundation. After all, NordSec co-founder Tomas Okman said if he delivers on his 2025 ambition, the company “will be a global synonym of digital privacy and cybersecurity.”
Today, Okman oversees one of the most popular virtual private network services globally. NordVPN protects data transmitted to and from the internet for approximately 14 million consumers. Now, the people who make NordVPN want to store and protect all your passwords, your confidential files, and want to extend NordVPN’s protections to small and large businesses.
But what is NordVPN? The answer turns out to be less clear than you might expect and requires taking a short dive into VPN culture.
The VPN boom
VPNs are subject to a variety of use cases. At its core, a VPN creates a secure tunnel through which data can travel. That tunnel makes point-to-point VPNs attractive to businesses, for example, who might want to connect branch offices to their corporate network.
But NordVPN’s growth — and the growth of the entire consumer VPN business — is driven by two other key user classes. The first is “safe surfers,” those with the desire to browse the web securely while out and about, using available Wi-Fi in places like coffee shops and airports. Public Wi-Fi is inherently dangerous, but a necessity for many users. VPNs help protect data sent through those potentially compromised networks.
The second key user class is “hiders,” those who want to hide that they’re using a VPN, hide their location, or hide any digital footprints they leave that might provide clues to their identity. Those who rely on these features range from people hiding their searches from abusive spouses, activists hiding their access from intrusive governments, and a wide range of sketchy individuals trying to hide illicit activity or cheat geolocation restrictions.
Either way, the VPN market is huge. Statistica said the VPN market was a $23.6 billion industry in 2019 and will hit $35.73 billion in 2022. Global Market Insights puts the VPN market at $25 billion for 2019 and projects it to be north of $70 billion in 2026.
When the consumer VPN market started to take off, it was driven heavily by the “hiders.” These folks didn’t want to use a service that stored their information or traffic history. They were so concerned about a potential compromise that they didn’t even want to use companies that were under the jurisdiction of nations that could legally subpoena their traffic history.
It was into this environment of “VPN theatre” that NordVPN was born, back in 2012. The operators of NordVPN have long advertised that their country of jurisdiction is Panama. This is particularly appealing to the “hiders” because Panama doesn’t have mandatory data retention laws. It also doesn’t participate in any signals intelligence agreements between certain nations that allow for data sharing. It isn’t party to either the Quadripartite Pact (better known as Five Eyes or UKUSA) or SIGINT Seniors Europe (or SSEUR, better known as Fourteen Eyes).
In other words, a big part of NordVPN’s appeal was that its hider customers couldn’t be touched by law enforcement or legal discovery looking into an individual’s data traffic.
Here’s the core question: What happens when a company caters to hiders but hopes to become a well-respected security company with a broad range of offerings beyond VPN?
Who is behind NordVPN?
The company behind NordVPN is moving from a single-product vendor to a purveyor of security solutions. When a company sells a single product, tech journalists tend to focus on the product more than the vendor. But when a company starts to grow, especially in the security space, we start to profile the company as well as the products. We want to get to know the company, understand its strategy, identify its competitive position, and so forth.
To that end, I reached out to Okman, co-founder of NordSec. NordSec, incidentally, appears to be the company’s name. We’ll get back to that in a moment, because … well, it’s complicated.
Okman’s LinkedIn page lists him as co-founder of NordSec since 2017 and a co-founder of Tesonet since 2008. Tesonet’s about page says the company is “an incubator, a venture builder, a digital frontier specializing in all things IT.”
Okman told me his co-founder is a guy named Eimantas (surname-redacted), who is both a childhood friend and a business partner. Although I requested and was provided with Eimantas’ surname, Okman told me, “I had no intent to hide Eimantas’ surname. Eimantas prefers not to share his surname in the article. Not that he’s hiding or anything, he is available on Linkedin and anyone can find him to be a NordSec owner. He just values his privacy and chooses to stay less public.”
I was provided with a link to Eimantas’ LinkedIn page, which also shows him as a co-founder of NordSec since 2017 and a co-founder of Tesonet since 2008.
Both Tomas Okman and Eimantas attended Vilnius University, founded in the 16th century and located in Vilnius, Lithuania. Eimantas attended from 2002 to 2006 and received a Bachelor’s degree in computer science, while Tomas attended from 2006 to 2011 and earned a Bachelor’s in history. Okman also picked up a Master’s in e-business management from Mykolas Romeris University, also in Vilnius.
NordSec, Tesonet, and Tefincom — and Panama, Cyprus, and Lithuania
All of that brings us back to NordSec, which is the name Okman and his team are using going forward. Think the name NordSec is familiar? NordSec is also the name of the Nordic Conference on Secure IT Systems and has been in use since 1996. When I asked Okman about the possible trademark ramifications of using “NordSec,” he replied, “we have a pending trademark application, and we provide a different type of service, so we don’t think there is anything that could cause a conflict.”
Another name that often comes up when discussing NordVPN is Tefincom S.A. Tefincom has long been credited as the Panama-based operator of NordVPN. Interestingly, there’s a Dun & Bradstreet record for Tefincom, listing the company as located on the island of Cyprus — not Panama. While there are four D&B records for NordSec, none of them are for Okman’s firm.
As it turns out, Tefincom owns the US trademark, registration number 5299477, for NordVPN. While the first use of the term NordVPN dates back in the filing to September 30, 2012, the trademark was filed on October 3, 2016, and was finally registered on October 3, 2017.
So now we have three countries: Panama, Cyprus, and Lithuania, and three companies: NordSec, Tefincom, and Tesonet.
We can first try to clarify Tesonet. According to a blog post on the Tesonet site, Tomas and Eimantas started the company back in 2008 to work on one project. Tesonet provides cybersecurity, machine learning, technical support, and business hosting solutions globally with about a thousand employees. As of 2017, Eimantas and Tomas still appear to be involved in the company.
There is clearly some employee cross-over between Tesonet and NordSec. According to RocketReach’s profile of the company, not only are Eimantas and Tomas listed as employees of Tesonet, so is my primary marketing contact at NordVPN.
So now let’s look at Tefincom. According to OpenCorporates.com, it was registered in Panama on April 29, 2016. The company’s three directors are listed as Marios Papaloizou, Angelos Hadjimichael, and Alina Gatsaniuk. Papaloizou is an attorney with the Christodoulides & Papaloizou & Matsas Law Firm, based in Nicosia, Cyprus. According to LinkedIn, Hadjimichael is a senior corporate consultant at CEOCORP Limited, also based in Cyprus. Gatsaniuk is listed on LinkedIn as a managing director of Globalgen Cyprus Limited.
That appears to be our connection to Cyprus. It looks like the parties listed as Tefincom’s directors are all based in Cyprus, and are probably all connected to the Christodoulides & Papaloizou & Matsas Law Firm.
This connection makes a lot of sense. Being registered in a domicile district does not necessarily mean you live and work in that location. Take all the companies in the US that incorporate in Delaware. What they do is use a Delaware registered agent and a Delaware mailing address, but operate elsewhere. Most likely, Tomas and Eimantas reached out to the Cyprus-based law firm to perform the registration. That firm, in turn, most likely reached out to the Panama firm of Icaza, González-Ruiz & Alemán, who is listed as Tefincom’s registered agent of record.
Whew! Okay, so Panama is in the mix because it has limited data sharing laws. Cyprus is in the mix because that’s where the attorneys and registered directors are located. And Lithuania is in the mix because that’s where NordSec and Tesonet operate out of.
When I asked Okman about all of this, he told me, “NordVPN is a leading VPN service provider in the world. Its brand is owned by Tefincom — a company based and operating under the jurisdiction of Panama. We chose Panama to incorporate NordVPN as it provides one of the best legislative environments for the security- and privacy-oriented product, while allowing other operations to remain global. NordSec is built by a team of specialists from all over the world, with offices located in Lithuania, the UK, Panama, and Netherlands.”
Speaking of Lithuania, it’s not entirely clear that Tefincom’s registration in Panama will protect NordVPN users from government discovery, particularly when it comes to the US government. Lithuania is party to Mutual Legal Assistance Treaties (MLAT) with the United States Department of State. Such treaties “allow generally for the exchange of evidence and information in criminal and related matters. In money laundering cases, they can be extremely useful as a means of obtaining banking and other financial records from our treaty partners.”
In other words, just because NordVPN uses Panama as its jurisdiction of record, don’t count on your data legally being out of reach of MLAT-party government attorneys who want to pierce the corporate veil.
Okman’s response to that is, “This treaty has nothing to do with the way in which user data is treated. NordVPN incorporation in Panama allows us to comply with the requests for data only if these requests are issued by the Panamanian court. And even then, we wouldn’t have anything of actual significance to provide.”
All that brings us to NordSec. Tomas Okman told me, “NordSec is two things: a holding company that does not provide operational value and a brand that defines a suite of different products under Nord’s name.”
Let’s look at those products now.
NordSec made its name through its nearly eponymous NordVPN product. Today, the company has a number of Nord-prefixed offerings, including:
- NordVPN: The consumer VPN offering designed to protect mobile devices.
- NordVPN Teams: An extension of NordVPN with SMB and enterprise capabilities.
- NordLynx: An extended protocol based on the widely-lauded open-source WireGuard technology.
- NordPass: NordSec’s version of a password manager.
- NordLocker: Secured cloud-based file storage.
We’ll discuss each of these in-depth in a moment, but first I want to touch on a topic critical for a company focused on security: audits.
In 2019, the company reported a substantial security breach. NordSec reported that they implemented remediation steps as well as introducing a bug bounty program as part of an extensive security overhaul.
Regarding that breach, Okman told us, “The security incident occurred in 2018. Our research indicates that it happened on or around March 5th on a single server in Sweden. Unsecure account was deleted by ISP on March 20th, making any unauthorized access to the server virtually impossible. We became aware about the incident a year later and immediately started an internal audit, and heavily upgraded the security of our infrastructure.”
For years, I’ve been pushing VPN companies to commission independent audits. Because so much data runs through VPN services, it’s essential to know how well data is being protected. In addition, many VPN providers claim that they keep no records, so if a government wants to examine customers’ surfing history, there’s no data to provide. For the safety of their at-risk customers, it’s essential to get an independent review of whether anonymity is, in fact, protected.
To its credit, NordSec has made a number of moves in this direction.
Audit of no-logs claim: In 2018, NordSec retained PwC (PricewaterhouseCoopers) to conduct a comprehensive audit of their no-logs policy for their consumer VPN product. PwC is the second largest professional services firm in the world and is one of the Big Four accounting firms. The result was that PwC determined that NordSec’s claims are valid. Given that NordSec’s data may be vulnerable to MLAT jurisdiction, it’s all that much more important that no data be logged for security-conscious VPN users.
App security audit: In late 2019, NordSec commissioned a comprehensive app security audit of the NordVPN product. The audit was performed by cybersecurity consulting firm VerSprite, founded in 2007 and headquartered in Atlanta, Georgia. According to NordSec’s report on the audit, VerSprite conducted penetration testing and looked for vulnerabilities and ways to gain access to confidential user data. The audit found some security vulnerabilities that were fixed. It’s unclear whether this audit took place before or after the breach.
NordPass audit: Password managers are unique in that they’re entrusted with all our most critical information: our logins, passwords, credit card numbers, and even bank account information. The success of a password manager revolves around maintaining customer trust. To that end, NordSec commissioned its third audit, this time by security firm Cure53, located in Berlin. Nine vulnerabilities, and eight other issues, were documented by the auditors and reported as fixed by NordSec.
To ensure customer confidence, we encourage NordSec to conduct these audits on a yearly basis. It’s been two years since the no-logs audit, and considering all the growth going on in the company, that’s a long time.
And with that, let’s look into each of NordSec’s offerings in detail.
First up is NordVPN, the product/service that started it all. Founded in 2012 by Okman and his partner, the VPN service is in use by millions of users across the world. In an exclusive report for PCMag by analyst firm VPNpro.com , PCMag reported that NordVPN had the most Google interest of any VPN service, with 1.29M searches per month as of February 2019.
We’re not going to go into too much detail here, because we’ve covered NordVPN in-depth as part of our best of VPNs articles, my in-depth review, and even a profile Q&A with CMO Marty Kamden. If you’re curious about the VPN product, go ahead and read those articles.
Launched in 2019, NordVPN Teams is NordSec’s first push into SMB and enterprise offerings. The company’s goal, according to Okman, was to create a competitive B2B VPN service that would keep all the best characteristics of business VPNs, but at the same time would be cloud-based, and easy to configure and use.
He contends that what separates NordVPN Teams from traditional B2B VPN services is that it does not require a separate IT department to set up the service. He promises that employees of all backgrounds can learn how to get the most out of it in minutes.
The product is sold in three tiers: basic, advanced, and enterprise. The basic tier offers centralized billing and license transferability, along with the usual VPN features. The slightly more expensive advanced tier offers a dedicated account manager, dedicated servers, custom gateways, and reporting and logs. This latter might be problematic for some VPN users who are loath to have any records kept by anyone.
Finally, at the enterprise level, NordSec is offering enterprise-centric features like centralized configuration and management, LDAP and Active Directory, API access, site-to-site VPN, and custom branding.
NordSec also offers a special plan for NGOs (non-government organizations, typically nonprofits).
When it comes to tracking where NordSec is going in the VPN market, we have to discuss the company’s adoption of WireGuard technology.
Probably the best way to understand WireGuard is how it compares to OpenVPN, one of the most popular VPN security implementations. Compared to OpenVPN, WireGuard uses only 4% of the number of lines of code. This is important, because the more complex a software project is, the harder it is to manage. When it comes to a security implementation, the bigger codebase makes it far harder to find problems and far more likely that a vulnerability is hidden somewhere in the code.
The 4,000 lines of code in WireGuard compared to 100,000 in OpenVPN inspire glowing praise. Even the legendarily curmudgeonly Linux creator, Linux Torvalds, waxed poetic. On the Linux Kernel Mailing List he wrote, “Can I just once again state my love for it?” He continues, “Compared to the horrors that are OpenVPN and IPSec, it’s a work of art.”
That brings us to NordLynx, NordSec’s next-generation tunneling solution built on top of WireGuard. WireGuard provides the advanced cryptography and lean implementation but lacks server-side capabilities that a VPN provider needs for widespread deployment.
According to Okman, “so around a year ago, we came up with a technological solution to the privacy problem, called it NordLynx, and launched it as an option for our Linux users.”
He says coding took almost a year of polishing, testing and patching until the technology was ready to scale, but the company has been able to release it for all of its platforms. Okman says, “so far, the feedback exceeds our expectations. We knew from our tests that NordLynx is fast, but we didn’t expect such a positive response from our users.”
The speed tests he’s referring to were 256,886 field performance measurements by the company. They performed nearly 8,200 tests every day for a month. While the distance between a VPN server and the content server has the greatest impact on users’ perceived performance, NordLynx was able to double the performance over OpenVPN and IKEv2.
There are three net positives from the development and adoption of the NordLynx protocol:
The underlying cryptographic technology is far more robust and easier to maintain than the OpenVPN implementation.
Any speed improvement is a win. Doubling performance is always something appreciated by users.
With NordLynx, the company has been able to leverage a cutting-edge open source technology and adapt it to fit their product and service needs.
With NordPass, the company aims to take on market leaders like LastPass and 1Password in the password manager wars.
It’s a big step into a very crowded and entrenched market. Not only are there a great many contenders, but the nature of the product also provides a natural form of lock-in. Even though the amount of data stored is low compared to, say, cloud file storage services like Dropbox, data migration isn’t particularly easy or reliable.
That said, NordSec does have two advantages with NordPass. First, it has an enormous and generally satisfied privacy-minded installed base using its NordVPN service. This gives it a lot of potential customers to tap. Second, the company has implemented .csv (comma-separated values) import templates for many of the top password managers and browser password caches.
Nord is once again taking security seriously in this implementation. It’s built a zero-knowledge NordPass vault that relies on modern ciphers: XChaCha20 for encryption and Argon2 for key derivation. NordPass offers OCR scanning, biometric authorization, and secure password sharing, where Okman says, “shared items cannot be intercepted with man-in-the-middle attacks.”
If there’s one thing you can feel reasonably confident about, it’s that NordSec can secure data in transit. With NordLynx and NordVPN, pretty much its raison d’etre has been secure, encrypted transmission.
But if you want to store files in the cloud, you may also be concerned with protecting them when they’re at rest. In other words, when all those files are camping out on all those servers out there, are they encrypted or not?
NordLocker, announced last November, aims to enter the cloud file storage market, but with encryption being the key benefit promoted. Once again, NordSec is using advanced encryption technologies, but early reviews fault the product in a number of ways, including — critically — a lack of multi-factor authentication.
So, what does NordLocker do that Dropbox and G Suite don’t? Today, not so much. But NordSec is staking out ground in cloud-based file encryption, which is a logical security-centric line extension for the Nord brand.
NordSec told us it has 700+ employees. Given the relatively small employee count for a technology company with NordSec’s reach, it’s interesting to look at the relatively ambitious scope of the company’s development agenda.
According to co-founder Okman, NordSec grew its R&D team substantially in 2019, tasking developers with focusing on the research and implementation of new technologies that could benefit online security and privacy.
Okman tells us that one key area of work is anti-malware. The NordSec team is reportedly close to completing a proof-of-concept for an approach Okaman says “might render antivirus systems useless.”
NordSec is exploring technology that may be able to detect malware before it lands on devices, block third-party trackers or cookies, cut the communication between devices and botnet command and control servers, and more.
As Okman describes it, “The project is still in an early stage, and we might be unaware of some future obstacles, but what we have so far seems very exciting.”
Another project underway is a new traffic obfuscation technique that Okman enthusiastically claims “is unprecedented in the industry.”
One area that may be particularly interesting to techies and consumers, while disturbing for governments, is possible integration with Geneva. Geneva, which stands for “genetic evasion,” is a tool being developed by the University of Maryland computer scientists that evolves, modifying data in motion to evade nation-state censors.
According to University of Maryland assistant professor Dave Levin:
With Geneva, we are, for the first time, at a major advantage in the censorship arms race. Geneva represents the first step toward a whole new arms race in which artificial intelligence systems of censors and evaders compete with one another. Ultimately, winning this race means bringing free speech and open communication to millions of users around the world who currently don’t have them.
Okman tells us that NordSec is discussing future integration of NordVPN with Geneva technology. According to the university, “Tested in China, India, and Kazakhstan, Geneva found dozens of ways to circumvent censorship by exploiting gaps in censors’ logic and finding bugs that the researchers say would have been virtually impossible for humans to find manually.”
Finally, Okman tells us NordSec is considering entering the secure hosting field. We’ll be watching closely for more news on that possible development.
NordSec in 2025
We asked Okman to speculate about NordSec’s long term growth and evolution. We wanted to get an idea of what Okman’s vision was for the company. Most companies never provide any forward-looking views into their product plans, so we were impressed that Okman gave us his future product vision.
He described a single application for consumers. The idea is that users would download it once, activate it, and “forget about its existence for good.”
His goal is to offer a single application that covers all of the important areas of consumer security. He wants to include a firewall, a VPN service, and “a different kind of antivirus system, which does not misuse your data and barely operates on the device level.”
The software would also tell users what is tracking them online, how many trackers there are, and provide the option to block individual trackers. It notifies you when a service you use is breached and your credentials become available online.
Okman sees NordSec’s mission as threat protection. He wants to transform consumer and business security so that “all the analysis, detection and containment is done on the edge of the network, way before a threat reaches sensitive devices.”
So what does Okman view as the elevator pitch for NordSec’s future? He puts it this way, “Nord will not only be about Vikings and the cold — it will be a global synonym of digital privacy and cybersecurity.”
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.