‘Some aspects are as we intended and some are not’ — Mullvad addresses WireGuard exit-IP fingerprinting concern after researcher flags privacy risk

‘Some aspects are as we intended and some are not’ — Mullvad addresses WireGuard exit-IP fingerprinting concern after researcher flags privacy risk

https://www.techradar.com/vpn/vpn-services/some-aspects-are-as-we-intended-and-some-are-not-mullvad-addresses-wireguard-exit-ip-fingerprinting-concern-after-researcher-flags-privacy-risk

Publish Date: 2026-05-19 10:16:00

Source Domain: www.techradar.com

• A researcher found Mullvad’s WireGuard exit IP may enable fingerprinting
• Mullvad’s co-founder confirmed an upcoming patch to address any issues
• Mullvad will also re-evaluate if the intended behaviors are acceptable or not

Mullvad VPN, a provider highly regarded for its rigid privacy stance and no-logs policy, is currently addressing claims that its IP assignment structure can be used to track individual users.

The issue was brought to light by an independent security researcher known as “tmctmt,” who found that Mullvad’s method of assigning public exit IP addresses for its WireGuard connections isn’t entirely random. Instead of assigning a fresh IP every time you connect, the exit IP is deterministically tied to your unique WireGuard key.

Because this internal mathematical “seed” remains static until your key rotates, moving between different Mullvad servers may produce a recognizable constellation of IP addresses. By analyzing these IP logs, administrators on forums or websites could potentially link a user’s disparate connections back to the same device with over 99% confidence.

You may like

Mullvad co-founder and co-CEO Fredrik Strömberg quickly acknowledged the report on Hacker News, arguing that: “Some aspects of the described behavior are as we intended and some are not.”

Strömberg confirms that a fix is actively being deployed for any of the unintended behaviors, adding that “we will also re-evaluate whether the intended behaviors are acceptable or not.”

TechRadar has also reached out to Mullvad directly for further comment.

Feature or bug?

Unlike competitors that cram thousands of users onto a single IP address, Mullvad assigns multiple exit IPs per server to prevent annoying CAPTCHAs and rate limits.

The researcher tested this system by cycling through 3,650 public keys across nine different servers. Despite there being over 8.2 trillion possible IP combinations, all of the generated keys resulted in just 284…

Source