Mullvad co-founder responds to exit IP fingerprinting claims

Mullvad VPN is under fire after a researcher pointed out that its exit IP behavior may make users easier to track than they probably expect.

The issue comes from how Mullvad assigns public “exit” IPs to people using its WireGuard connections. Instead of picking them randomly every time, the exit IP is tied to a user’s WireGuard key in a way that repeats the same pattern across servers. This is noteworthy because it means logging someone’s IP from two or three different Mullvad servers can dramatically narrow down which specific user it is.

The researcher, who runs the blog tmctmt, tested this by cycling through thousands of keys and mapping which IPs came back from nine different Mullvad servers. He found that, despite the theoretical possibility of trillions of combinations, all the keys he tested ended up in just 284 distinct IP patterns.

In practice, that can make it fairly easy to correlate accounts across different servers, at least according to his estimator tool, which guesses the internal “seed” value that Mullvad’s system uses.

For example, someone controlling the forum or site logs could check IPs from a banned user and a new account, plug them into this tool, and still hit over 99% confidence that they belong to the same person.

Mullvad’s co‑CEO and co‑founder has weighed in on the situation, acknowledging that some of the behavior is intended and some is not. He also said the team is already testing a patch on a subset of its infrastructure and asked future security researchers to at least notify Mullvad before publishing findings.

The company’s help page notes that its WireGuard key normally rotates every few days, which can mitigate the risk a bit if users let that happen. But the researcher’s advice is straightforward: avoid switching servers too often within a single key cycle and periodically force a key refresh by logging out of the Mullvad app.

For many everyday users, this will not change life overnight. But for anyone who relies on Mullvad thinking they’re “fully anonymous,” this looks like another reminder that VPNs are more about hiding traffic from the ISP than guaranteeing total invisibility.

Featured image generated with AI

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.