Hi Vykintas, thank you for answering. I'm the GP.

First of all, I want to reiterate that I purposefully used the word "allegedly" because I have no proof. I only have a smoking gun https://archive.is/bQo0O .

Second of all, I want to explain that it is very difficult to verify any of your points.

> you can easily [...] look through the code. As you can see majority of it is open source.

Yes. This is correct, but at the time of writing this comment, the source has been made available only 9 hour ago. https://github.com/NordSecurity/nordvpn-linux

The whole thing is one giant "Initial commit" of what looks like millions of lines of code. Auditing this code will take months for single motivated person. There is little to no comments. "Just read the code" is difficult in this context. Also routing traffic through the client can be done just with 2 lines of code enabling kernel ip forwarding, and another line of code adding a nft/iptable rule to nat traffic from NordVPN to the outside world. This is looking for a needle in a haystack if this is obfuscated.

Also your Windows and MacOS clients (which are the most used by non-power-users) are not opensource, at the time of writing. So these ones could still be doing what has been alledged. This would be fine, since it's most likely most of your users.

> you can easily check it using Wireshark

This is also not that easy. If, as alleged, Oxylabs resells millions of NordVPN IPs to thousands of Oxylabs customers, you only have 1/1000 chance to be the botnet of the day. So you would need to be running Wireshark the one day out of 2½ year to see the traffic going through with Wireshark.