Return to

NordVPN allegedly using a botnet to bypass Disney+ geolocks

Continuing the discussion from News Story Dump Thread - Stories Only:

The above medium article makes some dark accusations of the already embattled NordVPN. While I had previously made a neutral recommendation about NordVPN, I’m now placing myself strongly in the “do not use” camp, if this accusation turns out to be true.

From what I can tell, and what the article alleges, NordVPN is using a botnet of malware-infected applications to proxy traffic through random people’s home network connections, in the case of Disney+. I’m curious if this is happening for other services as well. :thonk:

Credit to @timholus for initially posting this article in the news dump thread. I just think this deserved a thread of it’s own.

1 Like

There’s no way a large corp would actually be this stupid… Right?

I refer you to every other organization that’s ever got caught doing something blatantly illegal.

I think this is strong evidence to support my thesis on the racket that is VPNs:

VPNs are not the bastions of security you think they are.

I’ll go more in-depth into this later.


I thought it was more like tor endpoints?

Not good, but not evil bot-net? but now reading the article

So, this doesn’t say anything about services that aren’t NordVPN.

But you’re kinda-correct.

Private Internet Access, for example, has dedicated servers, and whenever you check your source IP, you can see that the IP is coming from a datacenter in whatever region you chose.

To tell the truth I have hesitated placing this link for five days. On the one hand, maybe an interesting topic but on the other hand a bit cheap sensation. I didn’t want to make a noise here but I wrote my early thoughts in another forum about it five days ago. Wendell also mentioned this in NEWS so I decided to post the link at last.

If anyone is interested … but nothing interesting. :slight_smile:

Ah, I missed the news this week.

Thanks for posting it though.

i mean…

also there was a 4hour leak on d+ for some content this week and last week there was a 2hour leak for content

1 Like

However, as to this text and NordVPN, the author guesses a lot …
Techniques for recognizing and blocking VPN servers are a few. Just like the workaround for typical blacklists by vpn providers.
The concept of “Residential IPs” is a bit funny in the general sense. An IP address is simply an IP address and what final service is pinned to it has no official definition. You can create IP range lists based on belonging to specific ASNs that are considered typical data centers or similar. But this does not give a complete picture of the situation. Personally, I use an ISP that offers many services for clients. Business internet access up to 10G. Colocation in DC, dedicated servers. And all this based on one IP range belonging to one ASN.

This hits the nail on the head.

I’m not sure if they are, but the original author alleged it and the chain of logic fits.

I’m not saying for sure that it’s what’s happening, and I don’t have the technology to test this, but I don’t understand the logic behind the choice of ISPs here.

The other thing I’d like to mention is that if the author thinks this is truly a group of unsuspecting compromised consumer devices/networks, the author has violated responsible disclosure by including the IPs. Of course, it provides me with the ability to continue the research.

I think this belongs here:


The stupid part is that they did not spin that as a feature.

Everyone using NordVPN could get the same IPs. Had the author only provided the “how to”, others would gather IPs.
On the other hand, would be believe his accusations hadn’t he provided that list?


That’s true, but it’s still not a good idea to do this.

I would have tested it myself. (which would require signing up for a month)

I just ran the IPs through some tools I have. They all look residential to me. I’ve got some contacts at Cox and Comcast. I’ll see if they can tell me if those IPs are associated with residential or business.

Given the gravity of this accusation, I’m giving nord a HUUUUUUGGGGEEEE benefit of the doubt here.

Even if IP addresses are actually assigned to the home client service, for example, some asymmetrical ones, it still does not mean that NordVPN or someone else is using a hidden proxy.

Nothing prevents the company from directly or indirectly through another company or person purchasing home Internet access services in various locations and on its basis creating its dispersed network to bypass the restriction.

A few years ago, I myself personally worked on a very similar project in Europe. End point was based on a home docsis internet access service and offered 120/10. The company that was behind the project rented cheap apartments and then signed a regular contract for the provision of internet access with an ISP. A small server was then inserted into the apartments and connected to the network.
What later this project did I can’t say but it is doable. Similar solutions have been and are available on the market through several different companies.

I do not defend NordVPN or immediately condemn them. The matter should be explained thoroughly, but from the technical point of view not only the evil proxy is available here …


I wouldn’t jump at the conclusion that if they’re residential IPs, they must be using a botnet. Who knows, maybe someone is running a closet datacenter and is renting NordVPN their exit point. I don’t think random (or even cherry picked) people’s networks would be anywhere near reliable enough to provide a proper service.

I definitely wouldn’t disregard the possibility that the users of the IPs are consenting to this, but then again I don’t know how legal this is, as US laws are a mystery to me, I have zero input here in that regard. There’s a startup that is doing a similar thing, you can set up a node in your own network, and your home will be an exit node + you get paid per crypto, that’s tied to the software. Maybe NordVPN is doing a similar thing, just, you know, without the crypto. Here it is, if you’re interested to look at it.

None of us really have any idea really, and the story could be partially true only. Residential addresses may be a real thing, but malware may be a complete rumor. Or somewhere along those lines.

So more or less what I wrote. They buy an IP or a network access service. Although they claim that IP and their “voluntarily sharing,” I understand that anyone who installs nordvpn applications becomes a voluntary silent proxy?
I also wrote that this method is transmitted a marginal percentage of traffic and the main weight is still going normally as confirmed by their description.

These methods are not new as I wrote. Purchasing IP addresses is also not unusual. I used to do it once, We had servers physically located in France and we bought IP from one ISP in the USA with a properly set geo and only looking at routing you saw where these servers really are.

In general, as I mentioned a bit of sensation and witch hunting. The only thing I don’t like is this “voluntarily sharing”. If this is actually done by nordvpn applications without the knowledge and consent of the user then … You just have to first check if something is written about it in TOS. But it looks like they are using a service that another company is already providing to them for this purpose. As I said, there are a few of them on the market …

Here’s how it goes:

  1. We purchase services that provide pools of IP addresses.
  2. There are two types of pools. The first one consists of IPs purchased from ISPs directly. The second one consists of the IPs of people who have voluntarily downloaded specific applications on their devices. The sole purpose of these applications is to reward the end user for voluntarily sharing part of their bandwidth with various services. Each individual who has the app downloaded is fully aware of this purpose and receives a reward for the traffic sent and received through their device.
  3. These IPs are only used initially when forming a connection. Regular browsing data and user IPs are never sent this way.
  4. The owner of the IP address can’t see any individual identifiable personal data because no such data is ever sent.

This method is fast and allows us to bypass censorship and provide access to different services all over the world.

1 Like