We get requests for user data all the time. From DMCA complaints to police inquiries, they land in our inbox every month.
But we do not log what you do online. There is no browsing history to hand over. No connection records to trace. The data they ask for does not exist.
This report shows what came in during Q2 2025, what categories those requests fall under, and what that means for you. We have also included bug bounty results and a few security headlines worth your attention.
Legal Requests — Our Q2 Numbers
We publish this data every quarter so you can see exactly what kind of legal requests we get and why they go nowhere.
These fall into two categories:
- DMCA complaints: Sent by copyright holders who claim that one of our IP addresses was used to share protected content without permission.
- Police requests: Submitted by law enforcement agencies asking for user data linked to an IP address associated with unlawful activity.
| April | May | June | |
| DMCA Complaints | 34,545 | 35,501 | 27,841 |
| Police Requests | 0 | 2 | 0 |
We review every request, but the outcome is always the same. Our no-logs policy means we do not collect or store any information about what users do online. Our servers are built without persistent storage. They run on RAM and reset regularly, leaving no data behind. We are also under no legal obligation to retain user information. Even if compelled, we would have nothing to provide.
With that said, let’s have a look at the numbers.
DMCA Complaints
| April | May | June |
| 34,545 | 35,501 | 27,841 |
Compared to Q1, the number of DMCA complaints dropped slightly, from 105,332 in Q1 to 97,887 this quarter. That’s still tens of thousands of takedown attempts, all hitting the same wall.
These notices aim to trace an IP address back to an individual. But on our network, that link doesn’t exist. There are no logs to match. No browsing history to pull. Every single complaint ends the same way: rejected for lack of evidence.
Police Requests
| April | June | July |
| 0 | 2 | 0 |
Law enforcement agencies contacted us twice in May, each time seeking data tied to IP activity. As always, there was no user data to hand over.
What Our Bug Bounty Program Turned Up This Quarter
CyberGhost’s bug bounty program remains one of the quiet engines behind our product hardening. In Q2 2025, we received 81 submissions. Fifty-nine of those were unique, and four were verified as valid vulnerabilities.
Our triage process moves quickly. Reports are reviewed on arrival, tested for reproducibility, and escalated based on severity.
False positives, duplicates, and edge-case noise still make up the majority of reports. That’s expected. What matters is that the signal always gets through. The program keeps our engineering team on alert and our systems under constant scrutiny from people who know how to break them.
Q2 Cybersecurity in Review
Each quarter, we include a short overview of notable security incidents from around the world. These stories offer context for the privacy challenges people face today. They’re also a reminder of how quickly threats evolve.
Qilin Steps Into the Void Left by RansomHub
In April, a new ransomware name took the lead. After RansomHub’s sudden disappearance, Qilin moved quickly, launching 74 attacks in a single month. Their victims included software providers, manufacturers, and critical infrastructure across multiple continents, with the U.S. hit hardest. Investigators noted Qilin’s use of data theft before encryption, a strategy aimed at maximum leverage. It’s a fast, aggressive playbook, with just hours between compromise and full-scale lockout.
16 Billion Credentials Leak? Not Exactly
Reports in June described what looked like one of the largest data breaches ever, with 16 billion login credentials exposed. Headlines called it historic. But a closer look revealed something far less dramatic: a massive collection of pre-existing data, scraped from old breaches, infostealer logs, and credential-stuffing lists. The dataset was not the result of a fresh compromise, and none of the companies named were recently hacked. It was simply a large, newly indexed archive of information that has circulated in cybercrime circles for years.
CAPTCHA Scam Turns Routine Clicks into Malware Traps
Also in June, a phishing campaign hijacked users’ muscle memory. Disguised as a routine Cloudflare CAPTCHA screen, the scam used a fake security prompt to guide victims through a series of familiar keyboard shortcuts: Win+R, Ctrl+V, Enter. But the clipboard was already rigged. Instead of a harmless check, users launched PowerShell commands that quietly dropped malware like Stealc, Lumma, or NetSupport Manager. The domain hosting the attack dated back to 2006, helping it dodge suspicion.
Leave a comment