Mullvad VPN is widely regarded as one of the most privacy-respecting VPN providers on the market. It's been recommended by Edward Snowden, independent auditors have verified its no-logging claims, and its fixed monthly price and anonymous signup (no email required, Bitcoin/Monero/cash accepted) set a gold standard for privacy commitment.
But a new analysis by security researcher tmctmt reveals a subtle flaw in how Mullvad assigns exit IPs — one that could allow a determined adversary to fingerprint Mullvad users with >99% accuracy simply by observing which IP addresses they connect from over time. The research was published on HN and quickly hit the front page.
This doesn't mean Mullvad is snake oil. But it's a powerful reminder that no privacy tool is perfect, and understanding real-world attack surfaces is the first step toward meaningful defense.
How Mullvad Assigns Exit IPs
Unlike most VPN providers that cram thousands of users onto a single shared IP, Mullvad gives each user a unique exit IP per server. With roughly 578 servers (compared to ProtonVPN's 20,000+), this vertical scaling approach prevents IP blocks and rate limits from affecting all users.
The exit IP you receive is deterministically mapped to your WireGuard public key. Mullvad rotates keys every 1 to 30 days by default (only if you use the official client — third-party clients don't rotate at all). This means the same exit IP pattern persists across sessions until your key changes.
Key insight: Mullvad's exit IP mapping uses a seed-based pseudorandom number generator (PRNG). Your WireGuard key determines the seed, and the PRNG picks an IP position within each server's pool. But because the underlying RNG's first random float is always the same regardless of the pool size, the proportional position (e.g., "81st percentile") is consistent across all servers.
The Fingerprinting Vector: How It Works
The researcher tested 9 Mullvad servers across different locations (Australia, Chile, Germany, Denmark, Finland, US West Coast, US East Coast, US San Jose, South Africa) by cycling through 3,650 different WireGuard public keys. Each server has a small exit IP pool — as few as 8 IPs (Berlin) and at most 91 (Los Angeles).
In theory, with 8.2 trillion possible IP combinations across these servers, every user should get a unique set. But in practice, the researcher found only 284 distinct IP combinations — because the RNG assigns the same proportional position in each pool, not independent random positions.
Here's how the math works in Rust (Mullvad's backend language):
let seed = 12345;
for bound in 10..100 {
let mut rng = StdRng::seed_from_u64(seed);
let number = rng.random_range(0..bound);
let ratio = number as f64 / bound as f64;
// Every iteration: same ratio emerges!
}The PRNG's entropy pool is unaffected by the bound parameter. Each call to random_range first generates the same floating-point number, then scales it to the bound. This means that if you're at the 81st percentile in one server's IP pool, you'll be at the 81st percentile in every server's IP pool.
What This Means for Privacy
If an adversary can observe your exit IPs across multiple servers (e.g., through forum IP logs, data breaches, or judicial requests to websites), they can calculate the proportional position and link those connections to the same Mullvad user.
The researcher built a tool that narrows down the seed float to a range of ~0.0034 (0.34% of users), meaning approximately 340 users out of an estimated 100,000 active Mullvad users share the same IP combination. In practice, with information from just 2-3 servers, the accuracy exceeds 99%.
Real-world scenario: A forum moderator suspects a new account is a sockpuppet of a banned user. Both accounts used Mullvad but connected through different servers. The IP logs from both accounts show overlapping float ranges (e.g., 0.4334-0.4428 and 0.4358-0.4423) — giving the moderator >99% certainty they're the same person.
Comparison: How Other VPNs Handle Exit IPs
ProtonVPN
ProtonVPN takes the opposite approach: it assigns huge numbers of users to very few shared IPs. With 20,000+ servers, each individual server's IP is heavily shared. This means you can't fingerprint a user based on which IP they're assigned (since thousands share the same one). The trade-off is that these IPs are more likely to be flagged by anti-abuse systems and blocked by websites.
IVPN
IVPN offers a middle ground: users can choose between standard shared IPs (good for general privacy, harder to fingerprint) and a dedicated IP add-on (better for site compatibility, worse for fingerprinting). IVPN also supports multi-hop connections that chain through two servers, making IP-based correlation attacks much harder. Additionally, IVPN allows WireGuard key rotation at any time.
Mullvad
Mullvad's approach — unique per-user exit IPs per server — is a best-effort compromise. The intent is good (preventing IP abuse from affecting everyone), but the RNG implementation creates an unintended fingerprinting surface. Mullvad has been transparent about the deterministic assignment (it's documented in their GitHub issue tracker), but the cross-server correlation was an implementation detail that had gone unnoticed.
| Feature | Mullvad | ProtonVPN | IVPN |
|---|---|---|---|
| Exit IP assignment | Unique per user per server | Shared by thousands | Shared or dedicated IP |
| Cross-server fingerprinting risk | High (deterministic RNG) | Low (IPs are shared) | Low (shared IP default) |
| Key rotation | Every 1-30 days (client) | Automatic per session | User-initiated anytime |
| Multi-hop support | Via SOCKS5 proxy | Secure Core | Built-in multi-hop |
| Site compatibility | Better (diverse IPs) | Worse (shared IPs blocked) | Good (dedicated IP option) |
| Open source audit | Independently audited | Independently audited | Independently audited |
Practical Implications for Users
Let's be clear: this vulnerability does not break Mullvad's fundamental privacy guarantees. Your ISP still cannot see your traffic. The VPN provider still cannot log your activity. Websites still cannot see your real IP address.
The risk is specifically about linkability — if someone can observe your exit IPs from multiple different servers, they can determine those connections belong to the same person. This matters most for:
- Journalists and activists who connect to different services through different Mullvad servers
- Sockpuppet accounts — forum operators and SOC teams can link accounts using IP logs
- Long-term pattern analysis — when data breaches leak IP logs, matching Mullvad IP patterns becomes possible
- Torrent users who switch between servers for different swarms
Mitigation Strategies
You can continue using Mullvad safely. Here's how to close this fingerprinting vector:
1. Rotate Your WireGuard Key Regularly
The simplest fix: log out of the Mullvad app and log back in. This generates a new WireGuard key, which produces a completely different exit IP combination. Do this before switching to a sensitive activity, or set up a routine (e.g., weekly rotation). If using a third-party WireGuard client, you won't get automatic key rotation — you'll need to generate new keys manually.
2. Avoid Switching Servers Unnecessarily
Each new server connection reveals another data point in your IP fingerprint. If you're engaged in sensitive work, stick to one server per session. Avoid the temptation to hop between countries unless necessary.
3. Use Mullvad's Bridges and Obfuscation
Mullvad offers obfuscation protocols (including Shadowsocks-based bridges) that wrap your VPN traffic in another layer. While designed to bypass deep packet inspection and censorship, this also adds a layer of indirection that can complicate correlation attempts.
4. Multi-Hop VPN
Chain your VPN connection through two providers. For example, connect to any VPN provider first, then tunnel through Mullvad. This breaks the IP correlation because the intermediate VPN provides a different observable endpoint. Services like IVPN offer native multi-hop; with Mullvad, you can achieve this by routing through a SOCKS5 proxy.
5. Tor over VPN
For maximum anonymity, route your traffic through Mullvad and then through the Tor network (or vice versa). This combines the benefits of VPN (IP change, encryption from ISP) with Tor's multi-hop routing and resistance to traffic analysis. Be aware: this approach is slower and some services block Tor exit nodes.
6. Consider Alternative VPNs for Certain Use Cases
If your threat model specifically involves hiding multiple online identities from a well-resourced adversary, ProtonVPN's shared IP model or IVPN's multi-hop + shared IP approach may be a better fit.
Why VPNs Are Not Snake Oil
It's easy to read research like this and conclude "VPNs don't work." But that's the wrong takeaway. The finding here is not that Mullvad is compromised or malicious. It's a technical artifact of a well-intentioned design — and one that can be mitigated.
- VPNs still encrypt your traffic from your ISP — your ISP cannot see what websites you visit or what you download
- VPNs still prevent IP-based geolocation — your real IP is not exposed to visited websites
- VPNs still provide a static IP surface for websites — you get different treatment than your home IP
- Audited no-log VPNs still guarantee that your connection history isn't stored
The real lesson is about defense in depth. No single privacy tool covers every attack surface. A VPN + Tor + good operational security (regular key rotation, distinct personas for different activities) is far stronger than a VPN alone — but even just a VPN is dramatically better than no VPN against most threats.
The privacy stack is not a single tool — it's a layered approach. The fact that Mullvad has a subtle fingerprinting vector does not invalidate the thousands of threat models where a VPN is the right solution. Know your adversary, know your tool's limits, and layer accordingly.
Conclusion
The research on Mullvad exit IP fingerprinting is a valuable contribution to understanding real-world VPN privacy. It doesn't reveal a backdoor, a logging scandal, or a government compromise. What it reveals is a subtle implementation detail with real consequences for a specific attack scenario: cross-server correlation.
For the average Mullvad user — someone who wants to prevent their ISP from seeing their browsing, bypass geoblocks, or get slightly better privacy on public WiFi — this finding changes very little. Your threat model doesn't include a well-resourced entity with access to IP logs across multiple servers.
For the privacy-conscious user — journalists, activists, security researchers, privacy hobbyists — the fix is simple: rotate your key before sensitive work, minimize server switching, and consider layering with Tor or multi-hop configurations.
Mullvad remains one of the best privacy-first VPNs available. This research doesn't change that. It just reminds us that privacy is not a purchase — it's a practice.