Security researchers have identified that Mullvad VPN's exit IP addresses can be used as fingerprinting vectors to identify and track users, undermining the privacy protections the service is designed to provide.
A technical analysis reveals that Mullvad's exit IP pool exhibits patterns that enable user identification despite the VPN's focus on privacy. The finding suggests that exit IPs alone can serve as reliable fingerprints for tracking sessions and correlating user behavior across time.
The discovery challenges assumptions about VPN anonymity. While Mullvad rotates exit IPs, the limited pool size and predictable patterns create identification opportunities for determined observers. Researchers documented how exit IP selection can be correlated with user behavior and timing metadata.
Mullvad has built its reputation on transparency and privacy-first practices, including storing minimal logs and supporting alternative payment methods. However, this research indicates that even privacy-focused VPN operators face fundamental challenges in protecting user identity through IP rotation alone.
The findings have sparked discussion in the security community about the limitations of current VPN architectures and the need for additional anonymization layers beyond IP masking. Mullvad has not yet publicly responded to the analysis.
The European Union has sanctioned members of Russia's Federal Security Service (FSB) for cyber espionage and sabotage campaigns targeting EU and Ukrainian entities since 2010. The move, coordinated with the UK, targets dozens of individuals and organizations involved in systematic hacking operations.
Cybersecurity agencies from the United States and eight allied nations have issued a joint warning about Russian state-sponsored hackers targeting vulnerable routers to breach critical infrastructure networks.
A new browser fingerprinting vector has emerged in Chromium 148, where the Math.tanh function produces different results across operating systems. This discrepancy can be exploited to identify a user's underlying OS without explicit permission.
Kaseya is hosting a webinar on strengthening MSP resilience through SaaS backups and business continuity strategies. The session focuses on how recovery capabilities prove critical when security defenses are breached.