Mullvad VPN Exit IPs Create Unexpected User Fingerprinting Risk
Original: Mullvad exit IPs are surprisingly identifying
Why This Matters
Reveals unexpected privacy vulnerability in major VPN service design
Security researcher discovers Mullvad VPN's exit IP assignment system creates fingerprinting vulnerability. Analysis of 3,650 public keys across 9 servers reveals only 284 possible IP combinations instead of expected 8.2 trillion, enabling potential user identification.
A researcher found that Mullvad VPN's exit IP assignment system poses an unexpected privacy risk. Despite having over 8.2 trillion possible exit IP combinations across tested servers, analysis revealed only 284 actual combinations are assigned to users. The system deterministically assigns exit IPs based on WireGuard public keys using what appears to be seed-based random number generation. Each server assigns IPs at the same percentile position within their respective pools, with servers sharing identical pool sizes producing identical IP indexes. This behavior suggests Mullvad uses the public key as a seed for IP selection, creating a fingerprinting vector that could potentially identify users across different servers despite the VPN's privacy intentions.