NordSec's Tom Okman is working on a proof-of-concept that "might render antivirus systems useless." 

[Note: Since this article was first published in May 2020, the company has made some changes, including to its name. No longer is it NordSec (which conflicted with an established conference). Now, it's Nord Security.]

The company behind NordVPN has big plans to offer a threat protection suite, a "different kind of antivirus system," and protect your privacy at the edge of a network. But before that vision becomes reality, Nord Security, the company that counts NordVPN as its flagship, will have to win over consumers and businesses to expand. As we'll show, in February of 2022 it did, by merging with Surfshark, a rival VPN provider.

Recommends

How the top VPNs compare: Plus, should you try a free VPN?

We tested the best VPN services -- focusing on the number of servers, ability to unlock streaming services, and more -- to determine a No. 1 overall. Plus, we tell you whether free VPNs are worth trying.

Welcome to our in-depth look at the folks behind NordVPN. As the company moves into a broader range of security products, we felt it was important to understand the company's offerings and, perhaps more important, the company's background and legal foundation. After all, Nord Security co-founder Tom Okman said if he delivers on his 2025 ambition, the company "will be a global synonym of digital privacy and cybersecurity."

Today, Okman oversees one of the most popular virtual private network services globally. NordVPN protects data transmitted to and from the internet for approximately 14 million consumers. Now, the people who make NordVPN want to store and protect all your passwords, your confidential files, and want to extend NordVPN's protections to small and large businesses.

But what is NordVPN? The answer turns out to be less clear than you might expect and requires taking a short dive into VPN culture.

The VPN boom

VPNs are subject to a variety of use cases. At its core, a VPN creates a secure tunnel through which data can travel. That tunnel makes point-to-point VPNs attractive to businesses, for example, who might want to connect branch offices to their corporate network. 

But NordVPN's growth -- and the growth of the entire consumer VPN business -- is driven by two other key user classes. The first is "safe surfers," those with the desire to browse the web securely while out and about, using available Wi-Fi in places like coffee shops and airports. Public Wi-Fi is inherently dangerous, but a necessity for many users. VPNs help protect data sent through those potentially compromised networks.

The second key user class is "hiders," those who want to hide that they're using a VPN, hide their location, or hide any digital footprints they leave that might provide clues to their identity. Those who rely on these features range from people hiding their searches from abusive spouses, activists hiding their access from intrusive governments, and a wide range of sketchy individuals trying to hide illicit activity or cheat geolocation restrictions.

Also:How to find the best VPN service: Your guide to staying safe on the internet

Either way, the VPN market is huge. Statistica said the VPN market was a$23.6 billion industry in 2019 and will hit$35.73 billion in 2022. Global Market Insights puts the VPN market at$25 billion for 2019 and projects it to be north of$70 billion in 2026. 

When the consumer VPN market started to take off, it was driven heavily by the "hiders." These folks didn't want to use a service that stored their information or traffic history. They were so concerned about a potential compromise that they didn't even want to use companies that were under the jurisdiction of nations that could legally subpoena their traffic history.

It was into this environment of "VPN theatre" that NordVPN was born, back in 2012. The operators of NordVPN have long advertised that their country of jurisdiction is Panama. This is particularly appealing to the "hiders" because Panama doesn't have mandatory data retention laws. It also doesn't participate in any signals intelligence agreements between certain nations that allow for data sharing. It isn't party to either the Quadripartite Pact (better known as Five Eyes or UKUSA) or SIGINT Seniors Europe (or SSEUR, better known as Fourteen Eyes).

In other words, a big part of NordVPN's appeal was that its hider customers couldn't be touched by law enforcement or legal discovery looking into an individual's data traffic.

Here's the core question: What happens when a company caters to hiders but hopes to become a well-respected security company with a broad range of offerings beyond VPN?

Who is behind NordVPN?

The company behind NordVPN is moving from a single-product vendor to a purveyor of security solutions. When a company sells a single product, tech journalists tend to focus on the product more than the vendor. But when a company starts to grow, especially in the security space, we start to profile the company as well as the products. We want to get to know the company, understand its strategy, identify its competitive position, and so forth.

To that end, I reached out to Okman, co-founder of Nord Security. In 2020, I wrote: "NordSec, incidentally, appears to be the company's name. We'll get back to that in a moment, because ... well, it's complicated."

Okman's LinkedIn page lists him as co-founder of Nord Security since 2017 and a co-founder of Tesonet since 2008. Tesonet's about page says the company is "an incubator, a venture builder, a digital frontier specializing in all things IT."

Okman told me his co-founder is a guy named Eimantas (surname-redacted), who is both a childhood friend and a business partner. Although I requested and was provided with Eimantas' surname, Okman told me, "I had no intent to hide Eimantas' surname. Eimantas prefers not to share his surname in the article. Not that he's hiding or anything, he is available on Linkedin and anyone can find him to be a NordSec owner. He just values his privacy and chooses to stay less public."

I was provided with a link to Eimantas' LinkedIn page, which also shows him as a co-founder of Nord Security since 2017 and a co-founder of Tesonet since 2008. 
 
Both Tom Okman and Eimantas attended Vilnius University, founded in the 16th century and located in Vilnius, Lithuania. Eimantas attended from 2002 to 2006 and received a Bachelor's degree in computer science, while Tom attended from 2006 to 2011 and earned a Bachelor's in history. Okman also picked up a Master's in e-business management from Mykolas Romeris University, also in Vilnius.

NordSec, Tesonet, and Tefincom -- and Panama, Cyprus, and Lithuania

All of that brings us back to NordSec, which is the name Okman and his team chose to use going forward, at least in 2020 when I interviewed him. Think the name NordSec is familiar? NordSec is also the name of the Nordic Conference on Secure IT Systems and has been in use since 1996. When I asked Okman about the possible trademark ramifications of using "NordSec," he replied, "we have a pending trademark application, and we provide a different type of service, so we don't think there is anything that could cause a conflict." Clearly, that didn't take, because the company is now known as Nord Security.

Note that when I refer to NordSec in the following sections, it's because that's the name I used to trace these various players. As mentioned, the new name is Nord Security. When I'm using NordSec in the copy, it's referring to the company as it was promoted in 2020.

working from home

The future of business is remote

Most every organization has been thrust into the future of work. What will determine failure or success in this brave new world?

Another name that often comes up when discussing NordVPN is Tefincom S.A. Tefincom has long been credited as the Panama-based operator of NordVPN. Interestingly, there's a Dun & Bradstreet record for Tefincom, listing the company as located on the island of Cyprus -- not Panama. While there are four D&B records for NordSec, none of them are for Okman's firm.

As it turns out, Tefincom owns the US trademark, registration number 5299477, for NordVPN. While the first use of the term NordVPN dates back in the filing to September 30, 2012, the trademark was filed on October 3, 2016, and was finally registered on October 3, 2017.

So now we have three countries: Panama, Cyprus, and Lithuania, and three companies: NordSec (now Nord Security), Tefincom, and Tesonet.

It's now 2022, so let's add one more company to the mix: Surfshark. Apparently, according to a report by CNET, Surfshark founder and CEO Vytautas Kaziukonis founded Surfshark with the assistance of Tesonet. Both companies (Surfshark and Nord) swear they were separate competing entities until their merger announcement in February 2022. Like I said, it's messy. It should be noted that Nord and Surfshark both say they'll remain operating as separate businesses, with separate accounts and infrastructures. So now they're consolidated business units within the same organization, but they're still competing. Yay?

In any case, we can first try to clarify Tesonet. According to a blog post on the Tesonet site, Tom and Eimantas started the company back in 2008 to work on one project. Tesonet provides cybersecurity, machine learning, technical support, and business hosting solutions globally with about a thousand employees. As of 2017, Eimantas and Tom still appear to be involved in the company. 

There is clearly some employee cross-over between Tesonet and NordSec. According to RocketReach's profile of the company, not only are Eimantas and Tom listed as employees of Tesonet, so is my primary marketing contact at NordVPN.

So now let's look at Tefincom. According to OpenCorporates.com, it was registered in Panama on April 29, 2016. The company's three directors are listed as Marios Papaloizou, Angelos Hadjimichael, and Alina Gatsaniuk. Papaloizou is an attorney with the Christodoulides & Papaloizou & Matsas Law Firm, based in Nicosia, Cyprus. According to LinkedIn, Hadjimichael is a senior corporate consultant at CEOCORP Limited, also based in Cyprus. Gatsaniuk is listed on LinkedIn as a managing director of Globalgen Cyprus Limited.

That appears to be our connection to Cyprus. It looks like the parties listed as Tefincom's directors are all based in Cyprus, and are probably all connected to the Christodoulides & Papaloizou & Matsas Law Firm. 

This connection makes a lot of sense. Being registered in a domicile district does not necessarily mean you live and work in that location. Take all the companies in the US that incorporate in Delaware. What they do is use a Delaware registered agent and a Delaware mailing address, but operate elsewhere. Most likely, Tom and Eimantas reached out to the Cyprus-based law firm to perform the registration. That firm, in turn, most likely reached out to the Panama firm of Icaza, Gonz