TorGuard has filed legal action against NordVPN following some serious allegations against the veteran VPN service provider.
The complete legal document, which consists of some 13 pages, can be found here. TorGuard is based in Florida and has submitted the lawsuit in a Florida district court.
The defendants of the lawsuit include NordVPN as well as a Canadian web hosting provider called C-7. Naturally, this makes for quite a peculiar case. We have a US-based company (TorGuard) suing a Canadian (C-7) and a Panama-based company (NordVPN).
What’s exactly going on here and what is the series of events that forced TorGuard’s hand to take legal action against the aforementioned entities?
Although this is still a developing story, I’ll summarize the case to help you get up to speed about this drama.
2018: TorGuard Suffers DDoS Attacks
In 2018, TorGuard contracted the Canadian web hosting company, C-7. The company naturally gained access to trade secrets and other confidential information on TorGuard which all entities are legally obliged to keep in the strictest confidence.
What TorGuard apparently didn’t know at the time was that C-7 was also associated with its Panamanian rival, NordVPN. Since then, NordVPN has allegedly threatened TorGuard on several occasions. TorGuard soon terminated its relationship with C-7 and has since suffered DDoS attacks on its website, leading to serious financial losses.
TorGuard claims that they now have good reason to believe that NordVPN was behind these DDoS attacks. However, what exactly these reasons or evidence are, it’s as good as anybody’s guess at this point.
A VPN service of NordVPN’s stature has a lot to lose and little to gain by engaging in such blatantly sketchy mischief. As such, it is unclear what motives NordVPN could have for causing all this turbulence.
If you’re unfamiliar with NordVPN and why it is one of the most highly-rated providers, head over to our NordVPN review for details.
2019: Uninvited guests and alleged blackmail
The events that took place in May of 2019 are described in some detail by a newly published blog on TorGuard’s official website.
In the article, TorGuard points out that the company launched a Bug Bounty program in May 2018, which welcomed security researchers to report any vulnerabilities in TorGuard’s software services, with the promise of a reward if a legitimate vulnerability was responsibly disclosed to the company.
However, what transpired in May 2019 (if we assume TorGuard’s account to be factually accurate) is quite strange.
According to the official statement:
“…We were surprised when an unknown individual showed up uninvited at a staff member’s personal residence asking to speak about the VPN industry. This same TorGuard staff member received an email on their personal email account from a competing VPN company asking to discuss the relationship between both VPN providers.”
Earlier, one of TorGuard’s affiliates, Tom Spark Reviews, published content on YouTube that was critical of NordVPN. The “unknown individual” then allegedly blackmailed TorGuard, demanding them to ask Tom Spark Reviews to take down this content or damaging information about TorGuard would be released to the public.
The disclosure contained information about vulnerabilities that TorGuard welcomed through appropriate channels in its Bug Bounty program.
NordVPN has responded to these allegations in a blog, claiming that they only informed TorGuard about vulnerabilities in one of their servers to assist TorGuard in conducting patch-up activities and prevent a potential data breach affecting the business and their customers:
“We provided the IP of the affected server without asking for anything in return so that TorGuard could patch up their vulnerability. This is despite the fact that we could have publicly published our findings as security research, and despite the fact that we have a strong basis to believe that TorGuard has been running a year-long baseless defamation campaign against our company. We hoped that after providing this vital assistance towards securing TorGuard’s infrastructure, they would also cease with their illegal defamation campaign. We informed them of our desire to set aside past differences and also of our right to take legal action if they persisted in attacking us.”
Although TorGuard has admitted that one of its servers was left open during an upgrade, the company claims that the said server has not been operational since January 2018 and thus no security risks were relevant to any customers.
Four days after the uninvited guest visited TorGuard’s staff member, the company sued NordVPN and C-7 for $75,000 on three counts:
- Violation Of Florida Computer Abuse And Data Recovery Act (CADRA)
- Violation Of Florida Uniform Trade Secrets Act (FUTSA)
- Tortious Interference With Torguard’s Business Relationships
TorGuard hasn’t offered any convincing evidence to support its allegations. The company believes that NordVPN acquired information about security vulnerabilities through their association with C-7, which was privy to trade secrets of TorGuard as a result of their past business relationship.
TorGuard blames NordVPN for using this information to conduct the DDoS attacks and alleges the same information also allowed them to discover vulnerabilities that form the basis of the blackmail.
NordVPN flatly denies these accusations, calling them “fabricated”:
“All of these accusations, and we say this with unwavering confidence, are fabricated. We can’t understand their reasoning for doing so, and we’re not sure whether this unprovoked attack was launched because TorGuard are afraid we might disclose their vulnerabilities publicly. We never planned to do so, hoping that they would patch things up as soon as we had informed them.”
Amid all the confusion, we at least have one agreement between both NordVPN and TorGuard: a vulnerability in one of TorGuard’s servers did exist.
But where NordVPN only claims to have reached out to TorGuard through appropriate channels and was acting on good faith to set aside past differences between the two VPN companies, TorGuard is alleging blackmail.
In fact, NordVPN doesn’t seem to have any knowledge about C-7, calling it an “unrelated Canadian web design company”.
As such, the role of C-7 and the truth about NordVPN’s alleged blackmail is still a bit of a mystery, and we only have TorGuard’s word for that.
Conclusion: Fact or Fiction?
The case is certainly quite bizarre and it wouldn’t be wise to venture to choose a side until the situation becomes clearer. However, conventional wisdom beckons us to consider NordVPN innocent until substantial evidence is produced by TorGuard to prove these allegations.
The conclusion of this drama can have important consequences for the future of both VPN providers since they have their reputations at stake here.
At the same time, it is also entirely possible that the whole situation will evaporate without any legal closure, and the case will get buried under the weight of forgetfulness.
We’ll let time be the judge.