1. Forum
  2. tqwNet
  3. TQW GENTECH

  • 'Some aspects are as we intended and some are not' Mullvad addre

    From TechnologyDaily@1337:1/100 to All on Tuesday, May 19, 2026 15:30:32
    'Some aspects are as we intended and some are not' Mullvad addresses WireGuard exit-IP fingerprinting concern after researcher flags privacy risk

    Date:
    Tue, 19 May 2026 14:16:51 +0000

    Description:
    Is your VPN traffic as anonymous as you think? A security researcher just found a way to fingerprint Mullvad VPN users through exit IP patterns, prompting a swift response and an ongoing infrastructure patch from the provider.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter A researcher found Mullvad's WireGuard exit IP may enable fingerprinting Mullvad's co-founder confirmed an upcoming patch to address any issues Mullvad will also re-evaluate if the intended behaviors are acceptable or not Mullvad VPN , a provider highly regarded for its rigid privacy stance and no-logs policy, is currently addressing claims that its IP assignment structure can be used to track individual users.

    The issue was brought to light by an independent security researcher known as "tmctmt," who found that Mullvads method of assigning public exit IP
    addresses for its WireGuard connections isn't entirely random. Instead of assigning a fresh IP every time you connect, the exit IP is deterministically tied to your unique WireGuard key. Because this internal mathematical "seed" remains static until your key rotates, moving between different Mullvad servers may produce a recognizable constellation of IP addresses. By
    analyzing these IP logs, administrators on forums or websites could potentially link a user's disparate connections back to the same device with over 99% confidence. You may like 'No major vulnerabilities' Mullvads WireGuard implementation gets thumbs up from independent security audit 'We want to help' Mullvad VPN offers server support to privacy-first GrapheneOS Mullvad pushes update in a bid to make your iOS VPN app even more secure but there's a catch

    Mullvad co-founder and co-CEO Fredrik Strmberg quickly acknowledged the
    report on Hacker News, arguing that: "Some aspects of the described behavior are as we intended and some are not."

    Strmberg confirms that a fix is actively being deployed for any of the unintended behaviors, adding that "we will also re-evaluate whether the intended behaviors are acceptable or not."

    TechRadar has also reached out to Mullvad directly for further comment. Feature or bug? Unlike competitors that cram thousands of users onto a single IP address , Mullvad assigns multiple exit IPs per server to prevent annoying CAPTCHAs and rate limits.

    The researcher tested this system by cycling through 3,650 public keys across nine different servers. Despite there being over 8.2 trillion possible IP combinations, all of the generated keys resulted in just 284 distinct IP patterns.

    Using a custom "seed estimator," the researcher showed that linking these
    exit IPs could narrow a user down to a pool of about 340 people (assuming 100,000 active users). While it doesn't instantly dox your real name, it provides more than enough data to cross-reference multiple accounts or connections.

    Responding on Hacker News under the username "kfreds," Strmberg was quick to note that the backend cause wasn't exactly as theorized by the researcher,
    but confirmed action was being taken. What to read next GrapheneOS patches an Android VPN bypass that Google decided to leave alone Mullvad VPN takes its banned anti-surveillance ad to the streets after UK TV rejection Mullvad Browser's testers now get access to updates every four weeks, also on Linux ARM devices

    "The cause is not exactly as described in the blog post. As for mitigation,
    we are already testing a patch of the unintended behavior on a subset of our infrastructure. If any of you try to reproduce the blog post's findings you may get confusing results throughout the day," Strmberg noted. Today's best Mullvad VPN deals Mullvad VPN 4.35 /mth View We check over 250 million products every day for the best prices The company recently pushed updates to make its iOS app more secure , but server-level IP assignment affects users across all platforms. While Mullvad addresses the unintended infrastructure quirks, Strmberg noted they will "re-evaluate whether the intended behaviors are acceptable or not," framing the issue as a "trade-off between multiple aspects of privacy, and multiple aspects of user experience".

    Strmberg also left a polite note for future bug hunters: "Finally, for those of you who do security research: when you find a security or privacy issue, please consider notifying the maintainer/vendor before publishing your findings, even if you intend to publish right away".

    If you are a current Mullvad user, you can easily mitigate this tracking risk today. The researcher advises avoiding rapid server switching, and occasionally logging out and back into the Mullvad app to force a manual WireGuard key rotation.



    ======================================================================
    Link to news story: https://www.techradar.com/vpn/vpn-services/some-aspects-are-as-we-intended-and -some-are-not-mullvad-addresses-wireguard-exit-ip-fingerprinting-concern-after -researcher-flags-privacy-risk


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)