Hey, Vykintas from NordVPN here. By going open source we are trying to be more open. NordVPN customers aren't used as botnets to resell traffic and you can easily check it using Wireshark as well as look through the code. As you can see majority of it is open source. If you have any questions - shoot them and I can try and answer them. Otherwise - please don't spread information without proper investigation.
First of all, I want to reiterate that I purposefully used the word "allegedly" because I have no proof. I only have a smoking gun https://archive.is/bQo0O .
Second of all, I want to explain that it is very difficult to verify any of your points.
> you can easily [...] look through the code. As you can see majority of it is open source.
The whole thing is one giant "Initial commit" of what looks like millions of lines of code. Auditing this code will take months for single motivated person. There is little to no comments. "Just read the code" is difficult in this context. Also routing traffic through the client can be done just with 2 lines of code enabling kernel ip forwarding, and another line of code adding a nft/iptable rule to nat traffic from NordVPN to the outside world. This is looking for a needle in a haystack if this is obfuscated.
Also your Windows and MacOS clients (which are the most used by non-power-users) are not opensource, at the time of writing. So these ones could still be doing what has been alledged. This would be fine, since it's most likely most of your users.
> you can easily check it using Wireshark
This is also not that easy. If, as alleged, Oxylabs resells millions of NordVPN IPs to thousands of Oxylabs customers, you only have 1/1000 chance to be the botnet of the day. So you would need to be running Wireshark the one day out of 2½ year to see the traffic going through with Wireshark.