VPN usage has surged in the last several years, with growing concerns over data privacy and security — and sometimes completely different motivations like people wanting to access content otherwise blocked in their regions — driving an estimated 30% of all internet consumers globally to use a VPN at some point this year. Now Nord Security, the startup behind one of the bigger paid VPN providers, NordVPN, is announcing significant funding at a “unicorn” valuation to build out both its consumer and enterprise business lines to capitalize on that growth.
The company has raised $100 million in a round of funding led by Novator — the European firm that’s backed Deliveroo, Stripe and Tier, among others — with Burda Principal Investments and General Catalyst, and individuals including Ilkka Paananen of Supercell, Miki Kuusi of Wolt and Matt Mullenweg of Automattic also participating. This round values the startup at $1.6 billion.
What’s notable here is that Vilnius, Lithuania-based Nord has been bootstrapped for the last 10 years (it was founded in 2012), a state that doesn’t seem to have held back its growth. NordVPN and the other security and identity management products that Nord sells — they include the NordPass password manager, NordLocker for cloud sync and storage, NordLayer for network access for businesses and developer tools to build custom VPNs — have collectively grown to 15 million users over the years.
Alongside its organic expansion, it has also been expanding via M&A: in February Nord announced a merger with Surfshark, another security company with Lithuanian roots (and more specifically, roots to the same business and incubator where Nord Security was also hatched, Tesonet). (Lithuania is also producing some interesting companies not in the business of security and networking, such as the used-clothing marketplace Vinted, which was the country’s first startup to reach a $1 billion valuation.)
So why raise now? Tom Okman, the co-CEO and co-founder with Eimantas Sabaliauskas, told TechCrunch that it made the decision to finally bite the funding bullet to keep up with the pace of the times, while also continuing to stay on course with its mission, which might best be summarized as embracing the ideals of the open internet, but to do so in a way that protects users from those that might exploit that with more malicious intent.
“We saw the changing landscape in digital privacy… and that the open internet was not working as intended,” he said. “Our mission is to build a radically different internet by securing consumer and enterprise accounts, and network information, against cyber threats around the world.”
VPNs are often used by people to evade more restrictive internet policies (whether due to geoblocked content, or more controlling governments or something in between), or simply to keep their browsing more private, but the VPN industry hasn’t had a completely smooth ride in fulfilling those aims. Critics have decried how VPNs, specifically those advertising themselves as “free” but also some that charge for their services, do not handle users’ data responsibly and might in fact pose security risks to their users.
Some of that criticism has touched NordVPN, too. In the last three years, its name has been mentioned in connection with Russia ordering VPNs to block certain sites, a breach of one of its data centers and that some of its browser extensions don’t act as they appear to.
Asked about these events and what the impact has been on Nord, Okman said that the company has been changing over the years to address the different points, and to do better.
“We have learned our lesson and come a long way since 2019,” he said. The data center breach found that no data was compromised, he said, but it spurred the company to reconfigure its security and change how it handles data overall (the systems are now diskless, he said). Internal security teams were increased and the company now goes through regular audits, in partnership with U.S. firm Versprite.
The tussle with Russia prompted the company to pull all of its business out of the country rather than comply, and he said that the NordVPN now has very few users in the country.
Its main aim is to continue building out enterprise and consumer services as a paid offering, a business that Okman pointed out not only has seen it amass 100 patents, but a different kind of ethos to improve the product and answer to a different standard. “We prohibit any illegal activities and we define that in our terms of service,” he added. “That is the big difference, and a distinction between paid VPN and free VPN services.”
The fact that Nord had been bootstrapped and quietly building and growing also meant that it was less easy to have much visibility around how it was run, and what it did. And having a customer base that was primarily consumers also meant potentially less due diligence around how the product worked. More recently, though, Nord’s growing enterprise business, along with this latest addition of high-profile investors and a big valuation, all give the startup not just more exposure, but potentially more oversight.
“Modern internet security requires a completely new approach to address the secular growth of risks from expanding data regulations and ever-worsening cyberthreats,” said Birgir Már Ragnarsson, managing partner at Novator Ventures, in a statement. “Tom and his team are well-positioned to deliver and usher in the new era of internet security with a powerful and best-in-class suite of privacy and security tools, designed to protect information, accounts and networks. It’s rare to find a company that can already demonstrate such an excellent track record, brand credibility and unwavering focus on serving customers, so we are delighted to partner with Nord Security to support the team as they execute their vision at scale.” Ragnarsson is joining the board with this round.