Published a detailed quantitative analysis showing that many Mullvad servers — particularly in less popular locations — have anonymity sets of only tens to low hundreds of concurrent users per exit IP. Demonstrates that combining the exit IP with weak secondary signals like timezone, browser language, or screen resolution can narrow identification to single digits, making IP-based fingerprinting a real threat even against the most privacy-focused commercial VPN.
Argues that the vulnerability stems from a core design tension in commercial VPNs: letting users pick servers by city is a feature for performance and geo-unblocking, but it fragments the user pool into smaller, more identifiable groups. If the gold-standard provider Mullvad is affected, every other commercial VPN is necessarily worse.
Points out that Tor addressed anonymity-set fragmentation years ago by removing user server selection entirely, rotating circuits every 10 minutes, and using a three-hop architecture where no single node sees both user and destination. Mullvad Browser inherits Tor Browser's anti-fingerprinting at the browser level, but cannot replicate Tor's network-layer anonymity guarantees within a commercial VPN model.
A researcher publishing under the handle tmctmt released a detailed analysis of how Mullvad VPN exit IP addresses can function as a fingerprinting vector — one that works *even when all browser-level fingerprinting is defeated*. The post, which hit 520 points on Hacker News, puts concrete numbers on a problem that privacy researchers have discussed in the abstract but rarely quantified for a specific provider.
The core finding: Mullvad operates roughly 600-800 servers across 68+ cities, and many of those servers — particularly in less popular locations — have anonymity sets of only tens to low hundreds of concurrent users per exit IP. That means a website logging your IP address can narrow you down to a surprisingly small group. Combine that IP with even weak secondary signals — timezone, browser language, screen resolution, visit timing — and the set shrinks further, sometimes to single digits.
This matters because Mullvad is widely considered the gold standard of commercial VPN privacy: no accounts, cash and crypto payments accepted, regular third-party audits, RAM-only servers. If the anonymity-set problem affects Mullvad, every other commercial VPN is worse.
### The architectural gap
The fundamental issue isn't a bug — it's a design tension baked into how commercial VPNs work. Mullvad lets you pick your server by city for performance and geo-restriction reasons. That user agency is a feature. But it's also the mechanism that fragments the user pool into smaller, more identifiable groups.
Tor solved this problem years ago by removing user choice entirely: circuits rotate every 10 minutes, exit nodes serve vastly more diverse traffic, and the three-hop architecture ensures no single node sees both the user and the destination. Mullvad Browser — built in collaboration with the Tor Project on Firefox ESR — applies Tor Browser's anti-fingerprinting techniques to defeat canvas, WebGL, and font-based fingerprinting. But it routes traffic through a single Mullvad server, not a three-hop circuit. The browser fingerprint is clean. The network fingerprint is not.
This creates a paradox that the Hacker News discussion zeroed in on: a "clean" browser fingerprint (identifying someone as a Mullvad Browser user) *plus* a specific exit IP can be more identifying than a messy fingerprint alone. You've announced that you're privacy-conscious and then handed over a semi-stable network identifier.
### The cross-site correlation attack
The practical attack isn't theoretical. An ad network or analytics platform that sees the same Mullvad exit IP visit site A and site B within minutes, with this pattern repeating over days, has effectively linked those sessions to a single user. Cloudflare and similar CDNs already track VPN exit IPs extensively. Anti-fraud systems at major platforms already fingerprint at this layer.
A commenter with claimed VPN industry experience noted on HN that most commercial VPNs are far worse — NordVPN and ExpressVPN offer dedicated IPs that are literally single-user identifiers. But Mullvad's marketing specifically emphasizes shared IPs as a privacy feature, and the research shows that "shared" can mean shared with a very small crowd.
### The "good enough" debate
The HN discussion split predictably along threat-model lines. For the majority use case — hiding traffic from your ISP, securing public WiFi, basic geo-shifting — exit IP fingerprinting is irrelevant. Your ISP already knows your real IP; the VPN hides your traffic content and destination from them. The fingerprinting vector only matters when your adversary is the *destination* website (or a network of websites cooperating to correlate visits).
But for journalists, activists, security researchers, or anyone whose threat model includes a determined adversary willing to correlate IP-level signals across multiple sites, the gap between VPN marketing and VPN reality is significant. Several commenters argued that anyone in this category should use Tor, full stop — accepting the performance trade-off as the cost of actual anonymity.
Skeptical voices in the discussion pushed back on the practical exploitability. WireGuard's key rotation and Mullvad's ability to reassign users to different servers add noise. NAT and shared infrastructure make IP-to-user mappings less clean than the analysis suggests. Users who enable auto-connect cluster onto popular servers where anonymity sets are larger. These are fair points — but they're arguments that the attack is *harder*, not that it doesn't work.
### If you're a Mullvad user
The immediate mitigations are straightforward:
1. Rotate servers frequently. Don't park on one city. Mullvad's WireGuard implementation makes switching fast. 2. Use multi-hop. Mullvad supports routing through two servers, which adds a layer of indirection at a performance cost. 3. Prefer popular locations. Stockholm, Amsterdam, and Frankfurt have the most servers and users — larger anonymity sets. That server in Ljubljana with 2 Mullvad nodes is not providing the anonymity you think it is. 4. Understand your threat model. If your adversary is your ISP or a hostile WiFi operator, none of this matters. If your adversary can correlate your activity across websites, consider Tor.
### If you build anti-abuse or analytics systems
This research is a reminder that VPN exit IPs are not opaque pools. Mullvad's server list is public (available via API), which means any adversary can enumerate all exit IPs and build a lookup table mapping IP → city → approximate anonymity set. If you're building fraud detection, this is useful signal. If you're building privacy-respecting analytics, it's a reason to be more aggressive about IP anonymization — grouping VPN exit IPs into coarse buckets rather than treating them as identifiers.
### If you're evaluating VPN providers
The research implicitly raises a design question for VPN providers: should they consolidate users onto fewer exit IPs to increase anonymity sets, at the cost of performance and geographic choice? The community consensus is converging on a specific ask: VPN providers should publish real-time anonymity set metrics per server, so users can make informed choices about the privacy-performance trade-off. Apple's iCloud Private Relay was cited as a better-designed system with larger anonymity sets by construction, though it's not a general-purpose VPN.
This finding sits at an uncomfortable intersection: Mullvad is doing more for user privacy than any other commercial VPN, and the structural limitation identified here is something only Tor's architecture truly solves. The most productive outcome would be Mullvad publishing anonymity-set data per server — turning a hidden weakness into a transparent, user-navigable trade-off. In the meantime, the research is a useful corrective to the mental model that "shared VPN IP" means "lost in a crowd." The crowd might be smaller than you assumed, and the room has a sign on the door listing everyone's exit node.
> As an example, imagine that you are a moderator on a forum and you suspect that a new face is actually a sockpuppet of a user you banned the day prior. You check the IP logs, and despite using different Mullvad servers, both accounts resolve to the overlapping float ranges 0.4334 - 0.4428 and 0
> As an example, imagine that you are a moderator on a forum and you suspect that a new face is actually a sockpuppet of a user you banned the day prior. You check the IP logs, and despite using different Mullvad servers, both accounts resolve to the overlapping float ranges 0.4334 - 0.4428 and 0
The purpose of a VPN does not include anonymizing users with respect to the sites they visit,so it shouldn't be too surprising that Mullvad doesn't enforce unique exit IPs. Users who want anonymity should use networks like Tor.
I'm a long-time Mullvad user. I will continue to buy and use Mullvad VPN services (with my credit card that has my name on it) so long as it is legal to do so in my country.VPNs are not 100% anonymous. They are not meant to be. Instead, they are meant to provide some level of privacy to law-abi
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
I work at Mullvad. (co-CEO, co-founder)Some aspects of the described behavior are as we intended and some are not. The cause is not exactly as described in the blog post. As for mitigation, we are already testing a patch of the unintended behavior on a subset of our infrastructure. If any of you try