Mullvad exit IPs can be used to identify users, study shows

Mullvad's exit IPs can be used to identify users, according to research analyzing their distribution [RGBCube]. The study found that exit IPs are reused unevenly, with some assigned far more frequently than others. This pattern creates a fingerprinting vector: observers can correlate traffic by tracking which users appear on the same overused exit IP, even if the users themselves rotate servers.

The research examined real-world connection logs and found that Mullvad’s exit pool does not randomize user-to-IP assignment uniformly. Instead, certain IPs serve disproportionate numbers of sessions, making them statistically identifiable. An adversary with access to external traffic logs — such as a website or network monitor — could match user activity across sessions by observing repeated use of these high-frequency exit IPs.

This isn’t a theoretical flaw. The study demonstrated active correlation using observed exit IP patterns, showing that users can be linked across different browsing sessions without needing to compromise Mullvad’s encryption or infrastructure [RGBCube].

While the issue appears most pronounced in Mullvad due to its specific load-balancing behavior, the underlying risk applies to any VPN that reuses exit IPs non-uniformly. Providers that don’t actively randomize or rotate exit IP assignments may expose similar vulnerabilities.

The finding challenges the assumption that VPNs fully mask user identity. Even without logging, a provider’s infrastructure design — in this case, exit IP allocation — can leak identifying patterns. For privacy engineers, this shifts focus from just "no logs" policies to the operational mechanics of traffic routing.