ĢTV

This is some text inside of a div block.
Glitch effect

Mommy, Does Santa Like NordVPN?

Contributors:
Special thanks to our Contributors:
Glitch effectGlitch effectGlitch effect
Glitch banner

Well, kids, let’s just say Santa’s workshop has a strict policy against being on the Naughty List. In the world of cybersecurity, that list includes some popular—but perilous—virtual private networks (VPNs) and proxies. VPNs and proxies are tools that businesses use to secure and manage online activity. A VPN encrypts internet traffic and hides the user’s IP address, creating a secure "tunnel" between the user and the internet, which is great for protecting data on public Wi-Fi or enabling remote work. Proxies, on the other hand, act as intermediaries, routing traffic through another server to mask the user’s location or bypass restrictions. A lot of businesses rely on these tools for privacy, secure remote access, and to manage network traffic. 

With ĢTV Managed Identity Threat Detection and Response (ITDR), we've uncovered a lineup of VPNs and proxies that businesses commonly use but come with more risks than rewards. Think more coal than cookies. From accepting dubious payment methods to shady logging practices, these tools could assist in identity-related holiday heists. Buckle up as we take a sleigh ride through the five riskiest VPNs and proxies (plus, a special mention) that even Santa wouldn’t trust to protect his list—let alone your business.

Why do these specific VPNs and proxies deserve a place on Santa’s Naughty List this year? Since releasing Unwanted Access—Managed ITDR’s capability that combats pervasive threats like session hijacking and credential theft—we’ve noticed a few trends when it comes to certain VPNs/proxies and correlating abuse potential. And it all comes down to hacker useability.

List of "naughty" VPNs and Proxies

NordVPN

  • NordVPN is famous. You might not have heard of many of the other VPNs on this list, but it’s almost guaranteed that you’ve heard of NordVPN. They’re everywhere—YouTube sponsorships, TV commercials, website banners, you name it.
  • Accepts a diverse range of payment methods, including cryptocurrencies. (“We also accept major credit cards, cryptocurrencies, Amazon Pay, Google Pay, Apple Pay, and many other payment methods.”) 
  • Offers one of the most robust suites of privacy features of all available VPNs, including no-log, kill switch, headquarters in privacy-friendly Panama, and advanced features like VPN chaining and Onion over VPN browsing.
  • 30-day money-back guarantee, which is pitched on their website as a 30-day free trial (e.g., sign up, try it out, cancel, request a refund, and get your money back).
  • NordVPN is a double-edged sword: analyzing our incidents reveals plenty of legit use, but we also see a fair share of criminal activity. Lots of NordVPN activity we’ve caught ended up being policy violations where small and mid-sized business (SMB) users were using a personally acquired VPN for business.

Why it’s on the Naughty List: NordVPN’s widespread popularity, acceptance of anonymous payments like cryptocurrency, and strong privacy features make it a magnet for both legitimate users and cybercriminals. We see almost equal use split between legitimate users, policy violations, and actual cybercrime. And overall, NordVPN is the highest observed VPN by volume of incidents that we see by a wide margin (about 20% of all VPN-related incidents!)

Mullvad VPN

  • Like NordVPN, Mullvad VPN offers the no-logging, kill switch, and privacy-first vibe. And they’re hyping “quantum-computing resistant tunnels,” which, frankly, we’re still trying to wrap our heads around. 
  • Offers a unique method of account creation and payment. They randomly generate account tokens when you first sign up. The tokens link to payment methods to add VPN time to an account. Ostensibly, this means account numbers cannot be tied to any individual user unless a payment method includes personally identifiable information (PII). 
  • And on the subject of payment…not only does Mullvad allow for cryptocurrency payment, but it also encourages users to mail in cash along with their account number scribbled on a piece of paper to retain complete anonymity.
  • No free trial, but it does have a 30-day money-back guarantee that could be used as one.

Why it’s on the Naughty List: Mullvad VPN gains points for its adorable mascot, but even a cute mole can’t shake the VPN provider’s propensity for shadiness. Mullvad earns its spot on the list for its extreme focus on anonymity, allowing users to mail in cash payments and generate random account tokens. While these features make it a favorite for privacy enthusiasts, it’s also a favored tool for bad actors to evade accountability. Privacy may be a universal right, but cybercrime sure isn’t.

Meson.Network Proxy

  • An enigmatic entry on the list, Meson.Network is a Web3 protocol proxy that uses blockchain technology to facilitate bandwidth trading. Its decentralized network of servers redistributes idle bandwidth to clients in exchange for mining crypto coins.
  • Basically, crypto bros across the globe run this program, adding their servers to a massive list of servers that clients can route their traffic through. In exchange for “leasing” their IP and bandwidth, they receive MSN crypto coins.
  • It doesn’t take much to figure out why cybercriminals might gravitate towards this one. With anonymized traffic and decentralized control, it’s an attractive place for anyone wanting to remain under the radar.  

Why it’s on the Naughty List: Meson.Network Proxy deserves its spot on the list because its decentralized, crypto-powered bandwidth-trading model creates an untraceable playground for cybercriminals to mask malicious activity and evade detection. Unlike other VPN providers like NordVPN, the ĢTV SOC rarely, if ever, sees legitimate use of this decentralized crypto-mining network in the SMB.

IPRoyal Proxy 

  • Unlike a VPN, this service doesn’t encrypt any traffic on its own. But if you’re looking for an IP address to bounce your traffic off, look no further!
  • Pick your poison—it offers a diverse set of options, including residential proxies, data center proxies, enterprise proxies, ISP static IP proxies, and more.  
  • Website ads lean hard into the strengths of residential proxies, complete with a set of global locations where you could ostensibly proxy your traffic. 
  • Proposed use cases include web scraping, market research, travel fare aggregation, price monitoring, and unblocking restricted websites. It also highlights the city/state targeting function as a selling point.
  • Accepted currencies include credit cards, PayPal, and a whopping “70+ cryptocurrencies.”  

Why it’s on the Naughty List: IPRoyal Proxy makes the list because of its focus on residential proxies and granular location targeting—combined with its acceptance of over 70 cryptocurrencies—which provide cybercriminals with the perfect tools to obfuscate malicious activity and bypass detection. Many Identity Providers will not scrutinize traffic that comes from a similar geolocation as the victim user, so IPRoyal makes it easy for cybercriminals to remain under the radar.

HideMyAss (HMA) VPN

  • Offers largely the same basic feature set as the others, give or take a few, so we won’t bore you with the details. But HMA stands out for two reasons: 1) its name and logo, and 2) HMA cooperated with law enforcement authorities during the . After a court order, HMA turned over details about the hacking activity, which seems antithetical to the company’s promise of anonymity and privacy.  
  • HMA has since implemented a no-logging policy (a full eight years after the incident).
  • This basically highlights the main concern with VPN providers—if you’re using them for shady activity, you better trust that all of their claims of privacy and anonymity by design are legitimate. If not, you might wake up to an FBI raid.

Why it’s on the Naughty list: HMA earns its place on the list because of its history of cooperating with law enforcement (despite promises of anonymity), which underscores the risk of relying on providers whose privacy claims might crumble under pressure. Additionally, HMA secures itself as the fourth-highest observed VPN by incident volume! Cybercriminals still love it, maybe against their better judgment.

Stocking Stuffer Special Mention: TOR

  • TOR isn’t a product, a VPN, or a proxy. It’s a protocol built from the ground up to ensure online anonymity. 
  • The protocol runs on a set of servers that span the globe. These servers are run by volunteers and act as a network of possible routes for web traffic. Traffic is encrypted three times at the origin point and then bounced between three randomly chosen servers in this web, encrypting and decrypting different levels along the way. The system is set up so that no two servers in the chain can ever know the destination, the source, and the contents of the traffic at the same time, thus ensuring anonymity and privacy.
  • Upsides: It’s completely free to use, it’s purposefully designed for anonymity and privacy, and there’s no centralized entity.
  • Downsides: Speed isn’t exactly its strong suit. It’s really slooooooow. It’s browser-based, and it doesn’t route traffic outside of the web browser by default. And even though it’s designed for privacy and anonymity, there have been

Why it’s on the Naughty List: While there are a handful of legitimate lines of work that benefit from a decentralized network of privacy-ensuring server nodes and multiple layers of encryption, your average user in the SMB really has no reason to go to such lengths in their day-to-day working life. TOR can be invaluable for those who work in journalism, political environments, or in the shadow of autocratic governments. But there’s generally no reason why your average frozen yogurt shop owner should be logging into their Outlook inbox from a TOR node.

You can create Unwanted Access rules for Expected or Unauthorized VPNs in Managed ITDR

As the snow settles on this cybersecurity sleigh ride, the takeaway is clear: not all VPNs and proxies are created equal, especially when it comes to safeguarding your business. While tools like NordVPN, Mullvad, and Meson.Network might boast shiny features, they also bring risks that could leave you exposed to more than just a frosty breeze. Whether through shady logging practices, hacker-friendly payment methods, or misuse by cybercriminals, these VPNs and proxies earned their spots on Santa’s Naughty List for 2025. 

At ĢTV, our mission is to help businesses navigate these risks with Managed ITDR, shining a light on the threats hiding in the shadows. So, this holiday season, if you’re looking to protect your business, make sure your cybersecurity strategy is on Santa’s Nice List—and not under the hacker’s tree.

Share

Sign Up for Blog Updates

Subscribe today and you’ll be the first to know when new content hits the blog.

By submitting this form, you accept our Privacy Policy
Oops! Something went wrong while submitting the form.
ĢTV at work
Cybersecurity Education
Cybersecurity Education