For many people, a VPN is accepted as being their best bet for protecting their data and online privacy. While cyber security is certainly a concern for them, most VPN users aren’t exactly adept when it comes to information technology. Like any consumer, they typically err on the side of using a trusted name within the industry. In many ways, ExpressVPN is that standard-bearer. Since it began in 2009, ExpressVPN has signed up millions of users for its service under the promise that it does everything from encrypting data on their internet browser to masking their IP address in order to protect users against hackers and government surveillance.
What most of the 3 million users who currently use ExpressVPN probably weren’t aware of when they signed up is that the service proves the point that hackers and government surveillance aren’t mutually exclusive. On September 13th, ExpressVPN was sold to the Israeli-based company Kape Technologies in a $936 million cash and stock purchase. This acquisition added ExpressVPN to a catalog including several other VPN providers acquired by Kape Technologies since 2017. The acquiring company touted its purchase as being integral to defining the next generation in its fight for online privacy. However, the centralization the VPN services Kape Technologies owns and an examination of its history reveals the company’s efforts to undermine that very cause as a distributor of malware with ties to US and Israeli intelligence operations.
Kape Technologies was founded in 2011 by partners Koby Menachemi and Shmueli Ahdut under the name CrossRider. Early in its origins, CrossRider did not bill itself as a cyber security company. Instead, the focus of the company was on web browsing and advertising technologies. Just 20 months after its founding, the tech start-up with $2 million in working capital was purchased by Israeli tech billionaire Teddy Sagi for $37 million. Menachemi and Ahdut would stay on at the company as its CEO and CTO following the purchase. With the injection of capital that Sagi’s purchase put into the company, CrossRider pivoted its operations to change the scope of its outlook toward cyber security. In 2017, CrossRider cemented that change of direction when it purchased CyberGhost VPN for $10.4 million. Upon its acquisition of the Romanian-based VPN, CrossRider rebranded itself as Kape Technologies.
While CrossRider’s rebrand appeared to be a common tactic by a company marking a shift in its outlook as it made its first foray into cyber security, the basis of the change was rooted in a much different motive. By the time CrossRider had acquired CyberGhost VPN, the adware programs the company designed had been exposed as hacking tools. By attaching its adware to third party downloads, CrossRider was able to install potentially unwanted programs which attached to web browsers as spyware. Microsoft, Symantec MalwareBytes, and other cyber security websites categorized CrossRider’s malware program Crossid as a browser hijacker which collected user information such as browser information to IP addresses in order to monetize data for its value in targeted ad campaigns. With the CrossRider name being attached to this malicious spyware, the company was putting its newest VPN asset in jeopardy. In order to avoid losing users of CyberGhostVPN, rebranding to Kape Technologies was a measure designed to obfuscate the companies history as an entity producing malware programs which were antithetical to the interest of data security. The rebrand proved to effectuate the new image the company sought as it would go on to acquire additional VPN services years before its 2021 purchase of ExpressVPN. In 2018, Kape Technologies acquired Zenmate for $5.5 million and then Private Internet Access for $95 million in 2019.
With its growing portfolio, Kape Technologies had become increasingly more visible. Its umbrella of ownership centralizing multiple VPNs was a red flag for many who placed value in cyber security. Under growing scrutiny, the concerning origins of the company’s founders came to light. It was revealed that Koby Menachemi, Kape Technologies co-founder and former CEO, began his career in information technologies while serving in the Israeli Defense Forces. Menachemi worked as a developer in the Israeli Intelligence Corps under Unit 8200. That division of the IDF was responsible for collecting signal intelligence and data decryption. Its alumni are estimated to have founded over 1,000 tech startups. Companies founded by former operatives of Unit 8200 include Waze, Elbit Systems, and slews of other startups who have since been acquired by the likes of Kodak, PayPal, Facebook, and Microsoft.
In addition to its ties to thousands of companies from start ups to conglomerates, Unit 8200 has also fostered a close working relationship with the US government. In 2013, Edward Snowden disclosed leaked documents he obtained which included an agreement between the NSA and IDF. The agreement showed that the US intelligence agency would share information it collected under its domestic surveillance operations with its Israeli counterpart. The information Israeli intelligence received from the NSA included metadata and content from phone calls under stipulations from the agreement which assured the IDF that Unit 8200 would receive the information in raw formats so that identifying information on subjects of the surveillance would not be redacted. This meant that the NSA would transmit data including names and other personal information on its surveillance targets directly to Unit 8200. Critics of the unit attested that the Israeli intelligence outfit would routinely use the data it received from the NSA by providing it to Israeli politicians for the basis of blackmailing their Palestinian counterparts. Other whistle blowers have revealed Unit 8200’s operations have been able to disrupt Syrian air defense systems, hack Russia-based Kaspersky Lab, and has outfitted several Israeli embassies with clandestine surveillance systems.
By the time Kape Technologies had acquired its first VPN company, Menachemi had left his post as CEO of the company. He would go on to found his next venture, Kapai, in 2017 before leaving as its CEO in 2019. He now bills himself as the owner of Mobfox, a tech company that focuses on providing users with tools to manage their ad programs. At the time of his exit in 2016, the reason for his departure from Kape Technologies was not disclosed. Consequently, it is unclear if the revelations about his tenure as a developer in Unit 8200 had any impact on his decision to leave the company. Menachami’s co-founder Shmueli Ahdut also left the company. Currently, Ido Erlichman serves as the CEO of Kape Technologies since immediately succeeding Menachemi and Ari Margalit is its present CTO. Though Erlichman also had previously served in the IDF as a captain, he has no documented service in the Israeli military as a member of Unit 8200.
Despite Menachemi’s departure, Kape Technologies’ transgressions persisted. As of 2019, the malware that the company developed as CrossRider was still being deployed. Instances of those malware infections in 2019 reflected that new versions of the spyware had been developed through that year. The state of the malware’s ongoing use is a direct contradiction to promises made by Erlichman when he took over for Menachami in 2016, stating that the company had transformed its operations to focus on cybersecurity and was thus abandoning its use of adware.
Addition controversy arose when in May 2021, disclosures showed that Kape Technologies purchased the company Webselenese. That Israeli-based marketing company runs the websites vpnMentor.com and Wizcase.com which review VPN services. This put Kape Technologies in a position where it was reviewing its own products, unbeknownst to visitors of the websites. Wizcase and vpnMentor combined to have over 6 million visitors in September of 2021 alone. Since Kape Technologies acquisition of ExpressVPN, the company owns the top three reviewed VPNs on vpnMentor.com. Wizcase.com lists those same three Kape Technologies owned companies as the only services included on its list of their best-reviewed VPNs for Windows users as well as those being their top three reviewed VPNS for iOS users. Given the innate conflict of interest these sites have being owned by Kape Technologies, they look to serve as little more than a means to promote the VPNs who share the same ownership with each review including links to sign up for each of the services.
Another stain tarnishing its reputation among cyber security experts emerged the day following its acquisition of ExpressVPN. On September 14, the United States Department of Justice announced that it had provided a deferred prosecution agreement to ExpressVPN CIO Daniel Gericke. The agreement, which included a $335,000 fine and the revocation of Gericke’s security clearance given to him during his time as an NSA agent, was the result of his prosecution for charges related to his involvement as a mercenary hired by the United Arab Emirates. Gericke was hired as a hacker for hire under Project Raven. The UAE recruited over a dozen former US intelligent operations as part of this operation to spy on opponents of the nation’s monarchy by deploying software capable of hacking into smartphones similar to the Israeli-developed Pegasus hacking tool uncovered in July. Despite Gericke’s deferred prosecution agreement, ExpressVPN has stated that he will be remain with the company as its CIO, citing that his background as a hacker in Project Raven conveys that he possesses the skills necessary to implement safeguards to protect the users of their service.
Kape Technologies’ monopolization of VPN services into a singular technocratic empire conveys a centralization which jeopardizes the cyber security of its users and across the Internet as a whole. Beyond that, the company’s origins highlight how deeply immersed technology companies with large market shares are with intelligence agencies both foreign and abroad. For users seeking a solution to their cyber security concerns, the visibility of these issues that Kape Technologies’ growing profile brings should serve as a forewarning against signing up for their services. The question then becomes how to find a viable alternative given the resources that governments across the world have put into assembling controlled opposition to the Orwellian security state they have constructed.