Item: ExpressVPN
Rating: 68
Author: vpn.social

ExpressVPN was founded in 2009 and operates under the jurisdiction of the British Virgin Islands, which has no mandatory data retention laws. In September 2021, Kape Technologies acquired the company for $936 million — the largest VPN acquisition in history. Kape's history is central to evaluating ExpressVPN: the company operated as Crossrider from 2011 to 2018, running a platform that injected ads into browser extensions. Symantec flagged Crossrider software as malware, and Google identified it as distributing potentially unwanted applications. Kape's majority owner, Teddy Sagi, served jail time for securities fraud in the 1990s. Kape also owns CyberGhost, PIA, ZenMate, and crucially, the review sites vpnMentor and WizCase — which now rank Kape's own VPNs in their top positions.

The Daniel Gericke controversy added another layer. Hired as CIO in December 2019, Gericke had previously worked on Project Raven — a UAE government surveillance operation that targeted US citizens, foreign journalists, and human rights activists using zero-click exploits. He was fined $335,000 by the DOJ under a deferred prosecution agreement. ExpressVPN acknowledged knowing key facts before hiring him, arguing his adversarial background improved defensive security. Edward Snowden publicly questioned the company's judgment. Gericke left in July 2023.

Set against this ownership backdrop, ExpressVPN's technical security infrastructure is genuinely impressive. TrustedServer runs entirely in RAM with no hard drives — each reboot loads a fresh, cryptographically signed OS image, and servers undergo weekly upgrade cycles that wipe all prior data. This architecture has been audited by PwC (2019), Cure53 (2022), and KPMG (2022, 2023, 2025). The no-logs policy received real-world validation in 2017 when Turkish authorities seized a physical server during an assassination investigation and recovered zero user data.

The Lightway protocol, developed in-house and open-sourced on GitHub, was rewritten from C to Rust in 2025 for memory safety. Lightway Turbo, introduced the same year, uses multi-lane tunneling and kernel-level data channel offload to achieve speeds up to 1,479 Mbps on Windows — though this is currently Windows-only. Standard Lightway delivers 200-300 Mbps in independent tests, competitive but slower than NordVPN's NordLynx in most head-to-head comparisons.

Post-quantum encryption using ML-KEM (the NIST standard) is deployed by default on both Lightway and WireGuard, making ExpressVPN one of the first providers to ship PQ protection across multiple protocols. WireGuard support was added in August 2025 alongside post-quantum integration.

The server network spans 3,000+ servers across 105+ countries and 160+ locations. ExpressVPN reliably bypasses censorship in China, Iran, the UAE, Russia, and Saudi Arabia — a critical capability that many competitors lack. Streaming unblocking is consistently the strongest in the industry, with confirmed access to 20+ Netflix libraries, Disney+, Prime Video, BBC iPlayer, Hulu, HBO Max, and DAZN.

A significant security failure was the Windows split tunneling DNS leak (CVE-2024-25728), present from May 2022 through February 2024 — 21 months during which DNS requests bypassed the VPN tunnel when split tunneling was enabled. ExpressVPN estimates less than 1% of Windows users were affected. The response included two root-cause analyses, a commissioned Nettitude penetration test, and temporary disabling of split tunneling until fixed.

Pricing was restructured in September 2025 into three tiers: Basic ($2.44/month on 2-year plans, 10 connections), Advanced ($4.49/month, adds password manager and ID monitoring), and Pro ($7.49/month, adds dedicated IP). Monthly pricing remains the highest in the industry at $12.99. Payment options include credit cards, PayPal, Bitcoin, Apple Pay, and Google Pay with a 30-day money-back guarantee.

Notable absences include port forwarding (unavailable on any server), multi-hop routing, and open-source client apps — only the Lightway core library is public. Split tunneling is unavailable on iOS. These gaps are felt more sharply at ExpressVPN's premium price point.

ExpressVPN proactively removed all physical servers from India in June 2022 rather than comply with the CERT-In data retention mandate, switching to virtual servers in Singapore and the UK for Indian IP addresses. Transparency reports show 529 government requests in 2025 and 2.44 million DMCA complaints — with zero data disclosed in any case.

The company has pursued ISO 27001, 9001, and 18295 certifications, with ISO 27701 (privacy) and ISO 42001 (AI) targeted for 2026. An EventVPN free tier launched in November 2025 runs on premium infrastructure with post-quantum protection and no-logs — a notable contrast to most free VPN offerings.