Who Owns Your VPN? The Quiet Consolidation Nobody Voted For

Two threads dominated Hacker News this week. One was technical: 'Mullvad exit IPs are surprisingly identifying' (613 points) — researchers showing that a VPN's exit IP can fingerprint users across servers. The other was structural: 'Who owns ExpressVPN, Nord, Surfshark?' (673 points, 427 comments) — a relationship map showing how few hands actually hold the consumer VPN market.

We covered the fingerprinting research separately in VPN Exit IPs Can Fingerprint You — the short version is that every tunnel has an exit IP, ours included, so there's no magic VPN that escapes it. This post is about the second story, which gets less attention and matters just as much: most people have no idea who owns the company they're trusting with their traffic.

These aren't isolated. They're the same question asked from two directions — how much do you actually know about the tool you've made your privacy depend on?

The Consolidation You Didn't See

The Windscribe-authored map behind the 673-point thread laid out a picture most users never see. NordVPN's parent company merged with Surfshark, so two brands marketed as independent alternatives now sit under one roof. Kape Technologies — a company with roots in ad software — acquired ExpressVPN, CyberGhost, and Private Internet Access. A handful of private-equity-backed holding groups now sit behind a large share of the names you'd recognize.

The practical effect: users who thought they were diversifying by picking "a different VPN" were often concentrating into the same parent. The 'no single point of failure' logic for spreading trust across providers quietly collapsed.

Why Ownership Is a Privacy Question

A VPN sits in a privileged position: it sees which servers you connect through, when, and — depending on the product and its policies — potentially more. That makes who owns the company, and what their incentives are, inseparable from how private the product really is. Policies are written by owners. Owners change. A no-logs promise is only as durable as the company's intentions and the laws it operates under — and both can shift the day a holding company changes hands or a court issues an order.

This isn't an accusation against any one provider. It's a structural point: when ownership is opaque or consolidating, the phrase "trust us" is carrying far more weight than most buyers realize.

Where Casper's Cloak Stands

Casper's Cloak is independent. It isn't part of that consolidation — not owned by Kape, the Nord-Surfshark group, or the other holding companies in the map that alarmed 673 HN voters this week. The ownership question simply doesn't route back to a conglomerate in our case.

It's also more than a VPN. Casper's Cloak combines on-device threat detection, DNS and network filtering, anti-tracking, and an encrypted WireGuard tunnel in one app — so the value isn't only in the tunnel (which, as the fingerprinting research showed, was never the whole story), but in the layers of protection running alongside it.

What to Ask Before You Trust a Privacy Tool

If you're re-evaluating your privacy stack after this week's HN threads, the questions worth asking are less about marketing and more about structure:

• Do you know who actually owns the company behind it — not the brand, the parent?
• Could it change hands without you ever being told?
• Is your privacy the product, or a line item on someone's balance sheet?

The fingerprinting story and the ownership story landed in the same week for a reason: both are really about how little most people know about the tools they rely on. You don't fix that by switching to another box you can't see inside. You fix it by choosing tools whose makeup — and ownership — you can actually examine.