Surfshark's Post-Quantum Encryption Launched Broken. Here's What Happened.

Surfshark shipped post-quantum encryption on WireGuard in 2026. It broke on PPPoE connections almost immediately. Then they patched it. Here is what actually went wrong, and what the whole episode tells us about where VPN post-quantum encryption stands right now.

What Surfshark actually built

The implementation uses a hybrid key exchange: Curve25519 (the standard WireGuard algorithm) layered with ML-KEM, the NIST-approved lattice-based algorithm formerly known as Kyber. The handshake runs in two steps. Curve25519 goes first. ML-KEM follows on top of it.

The hybrid logic is sound. If one algorithm is eventually broken by a quantum computer, the other still holds. You are not gambling everything on a single cryptographic primitive. NIST approved ML-KEM in 2024 after years of evaluation, so this is not some experimental algorithm someone cooked up. It is the current standard for post-quantum key encapsulation.

Surfshark says the result runs 5.8% faster than standard WireGuard, which is a genuine surprise given how much overhead post-quantum algorithms typically add. Key sizes in ML-KEM are much larger than in Curve25519, so squeezing out a speed gain on top of the added cryptographic work is not trivial. The feature shipped enabled by default on Mac, Linux, and Android. iOS and Windows are still coming.

The bug that broke residential fiber connections

PPPoE (Point-to-Point Protocol over Ethernet) is the connection method used by a large share of residential fiber subscribers, especially in Europe and Asia. It is common in Germany, France, the Netherlands, Japan, and many other markets. Not a niche protocol. Not a legacy edge case.

When Surfshark’s post-quantum handshake ran over PPPoE, users found they could only load small unencrypted HTTP pages. Anything larger failed. HTTPS sites timed out. Real browsing was basically impossible.

TechRadar investigated, collected technical data, and shared it directly with Surfshark. The root cause was packet size. ML-KEM produces much larger key exchange messages than Curve25519. PPPoE has a lower MTU (Maximum Transmission Unit) than standard Ethernet, meaning it can handle smaller packets before it needs to fragment or drop them. Surfshark’s PQE handshake packets were simply too large for PPPoE to handle cleanly. The fragmentation logic either failed or was never accounted for, and the connection would partially establish then stall.

Surfshark released the fix in version 4.27.1. The patch handled packet sizing correctly for PPPoE environments.

That is a reasonably fast response once the problem was documented and escalated. But it should have been caught before launch. PPPoE is used by tens of millions of home internet subscribers. Testing against it is basic QA for a feature that ships enabled by default.

Why “harvest now, decrypt later” is not theoretical

Some people treat post-quantum encryption as premature. The threat sounds distant: quantum computers powerful enough to break current encryption do not exist yet. So why rush?

That framing gets the timeline wrong.

The actual threat model works like this. State-level adversaries collect and store encrypted internet traffic today. Bulk collection programs targeting internet infrastructure are well-documented; this is not speculation. The collected data sits in storage. When a cryptographically relevant quantum computer eventually exists, they run decryption against the archived traffic retroactively. VPN tunnels encrypted in 2026 could be readable in 2032 or 2036.

The window for exposure is already open. It opened years ago.

If sensitive communications, financial data, corporate secrets, or anything else worth protecting has traveled through a VPN tunnel in the last several years, it is potentially sitting in someone’s database waiting for the hardware to catch up. The timeline for quantum computers capable of breaking RSA-2048 or standard elliptic curve cryptography keeps shortening. Estimates vary, but credible researchers are no longer talking about “decades away.”

This is exactly why NIST spent eight years running a post-quantum cryptography standardization process before settling on ML-KEM and related algorithms. The cryptography community understood the harvest-now risk well before the general public did.

This is also why Mullvad started integrating post-quantum key exchange back in 2023. They were methodical, rolled it out incrementally across their infrastructure, and did not break anyone’s connection in the process. That contrast with Surfshark’s launch is worth sitting with.

Who has PQE right now (June 2026)

VPNs with post-quantum encryption live:

• Mullvad (since 2023, careful incremental rollout)
• Windscribe
• NordVPN
• ExpressVPN
• PureVPN
• Surfshark (version 4.27.1, PPPoE bug fixed)

VPNs without it yet:

• ProtonVPN
• PIA (Private Internet Access)
• CyberGhost
• IPVanish

ProtonVPN is notably absent from the first list given how strong their privacy reputation is. Some of the missing names have PQE on their roadmap. None have shipped it as of this writing.

NordVPN has post-quantum encryption live and has generally handled security feature rollouts without the kind of launch-day breakage Surfshark ran into. It is worth considering if PQE is part of your decision.

What Surfshark’s broken launch actually reveals

The honest read here is that the launch was rushed.

A connection protocol used by tens of millions of residential subscribers broke on day one. It took external investigation from TechRadar to surface the technical detail publicly. That is not a small thing. Surfshark did not catch this internally, and users running PPPoE connections had a functionally broken VPN on a feature that was enabled by default.

They fixed it quickly once the problem was documented and escalated, and that counts for something. Responsiveness to external research is better than going dark or dismissing the problem. But “we fixed it after a journalist investigated” is not the same as “we tested it properly before shipping.”

Mullvad’s approach was different in almost every respect. They did not announce PQE with a press release while it was still broken. They built it, tested it against real connection types, and shipped it quietly. Users found it. It worked. That is the less exciting story, which is exactly the point.

The underlying cryptography in Surfshark’s implementation is not in question. ML-KEM layered over Curve25519 is the correct architecture. The PPPoE issue was a protocol handling bug, not a flaw in the encryption itself. Your data was not more exposed because of this bug; your connection just did not work. Those are different problems, and the distinction matters.

Still, for a feature marketed as protecting against future quantum threats, not testing it against a common residential connection type is a gap that is hard to explain away.

Does PQE matter for your VPN choice in 2026?

It depends on what you actually use a VPN for.

If your threat model includes journalism, legal work, corporate communications, financial data, or activism in a country with an active surveillance infrastructure, post-quantum encryption matters now. Not in five years. Not when quantum computers make the news. The traffic you send today is the traffic that gets decrypted retroactively later.

The harvest-now window is already open. Anyone sending sensitive data through a VPN and not using one with PQE is essentially betting that their adversary is not collecting traffic, or that quantum decryption will never arrive. Both are bets worth reconsidering.

If you primarily use a VPN for streaming or casual privacy on public Wi-Fi, PQE is not your immediate priority. Fair enough. But when the feature costs nothing and the VPN has it anyway, there is no reason not to use it.

The providers who implemented PQE carefully and early are also telling you something about their security culture. That signal is worth weighting when you compare otherwise similar services.

NordVPN has PQE live across its infrastructure. If this matters to your use case, it is a straightforward option that does not require you to trust a rushed implementation.

Keep reading: Surfshark Review 2026: The Best Value VPN or Just Hype? and Does Surfshark Keep Logs? Their No-Log Policy Explained (2026).

Sources: TechRadar, Tom’s Guide, Surfshark official blog.

Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.