The claims centre around a Canadian hosting company called C-7 which used to provide hosting services to TorGuard.
C-7 and NordVPN v TorGuard
According to the filing TorGuard believes that NordVPN has either purchased or in some other way gained control of C-7 before their contract began.
Nothing especially unusual in that you might think. But it is what TorGuard believes NordVPN has been using C-7 for which really raises eyebrows.
TorGuard worked with C-7 in 2018 and during the course of the arrangement, TorGuard claim C-7 had access to various confidential and trade secrets relevant to their business. They state that they did not know of C-7’s link to NordVPN when signing up to work with them.
It states that C-7’s Chief Technology Officer has told TorGuard that he had a “direct relationship” with the owners of NordVPN. This individual is also claimed to have approached TorGuard over purchasing their business.
In the court filing, TorGuard claims that NordVPN has been using that company to access confidential and trade secret business information about TorGuard.
No concrete evidence to support these claims is provided in the court filing. That in itself is not unusual though as evidence is more likely to be presented in court than at this stage of the proceedings.
Serious blackmail and hacking allegations
Furthermore, TorGuard alleges that NordVPN then used this information to blackmail them by releasing this information unless they forced an unnamed third party to stop publishing criticisms of NordVPN’s business practices. They state that “this threat was brazen and involved in-person intimidation tactics by foreign actors.”
According to TorGuard, this is not the first time NordVPN have threatened them.
They also allege that, under the guise of “General Counsel Legal Affairs Tefincom S.A.” which appears to be a reference to NordVPN’s owners, they carried out a distributed denial of service attack (DDoS) against TorGuard in an effort to stop them doing business.
They claim that the first DDoS attack took place on Good Friday. They are alleged to have happened at regular intervals since and to have caused TorGuard “significant economic and reputational damage.”
The attacks are supposed to have cost TorGuard the business of “hundreds” of potential customers. The court filing states that the root cause of the DDoS attack was information and this could only have come from C-7.
It also clearly states that NordVPN has “routinely, and systematically, targeted and threatened TorGuard.”
Allegations and evidence
They do however state that this claim is based on “information and belief” and again no significant evidence is provided to back up the claim.
There is however some anecdotal evidence provided. TorGuard cites an email from an anonymous firstname.lastname@example.org account which was received in 2018 and which demanded TorGuard take certain unspecified actions and threatening legal action if they did not.
They also reference an instant message conversation between employees of TorGuard and NordVPN in which the NordVPN staffer claimed their customer numbers had dwindled and blamed critical YouTube posts by TorGuard for this.
This conversation is then alleged to have developed into a fully-blown blackmail attempt. Further details are provided but there is no clear evidence of the conversation or who participated in it provided in the filing.
After this article was first published, NordVPN provided us with a statement:
We are aware of the lawsuit, although it is rather difficult to take it seriously. All accusations are entirely made up. TorGuard (although probably by mistake) even filed a lawsuit against some Canadian web design company which we never heard about.
We received information that led us to finding TorGuard server configuration file available on the internet. We then noticed that one of their servers was left completely unprotected and publicly accessible for anyone. It contained private keys, scripts, and a number of other extremely sensitive information, which if misused, could have caused Torguard and their customers some serious harm.
We disclosed the vulnerability to them with the best intentions. It is a normal practice and just the right thing to do, but they decided to file a lawsuit for blackmail. We didn’t even want to make it public.
What happens now?
In bringing the case, TorGuard is claiming US$75,000 in damages for what they claim is NordVPN’s breach of Florida’s Uniform Trade Secrets Act (FUTSA), Florida’s Computer Abuse and Data Recovery Act (CADRA), and for their interference in TorGuard’s contractual and prospective business relationships.
The case was filed on May 24th 2019 and TorGuard are insisting that it should be heard by a jury.
It will be heard in Florida despite the fact that it involves two defendants headquartered in Panama and Canada. TorGuard is based in Florida and under that states law, their courts have the right to claim diversity jurisdiction.
It seems highly likely that NordVPN will not want that to happen and their lawyers are bound to attempt to have the case struck out.
Even if it does proceed, it seems likely that the case will drag on for many years of cases and appeals before it is finally resolved.
On the basis of what we have seen so far, we are not inclined to raise concerns about NordVPN to our readers at present given the absence of any clear evidence to back up the allegations made by TorGuard.
We will, however, be keeping a close eye on proceedings and if the allegations made against them are found to be proven, this is something we may have to reconsider.
Disclosure: VPNCompare has affiliate relationships with both NordVPN and TorGuard.