Mullvad's deterministic exit IP assignment leaks a per-key fingerprint

Mullvad assigns each server multiple exit IPs and picks one deterministically from a user’s WireGuard public key rather than randomly per connection. A researcher cycled through 3,650 pubkeys across nine servers and found that, despite a theoretical 8.2 trillion possible IP combinations, only 284 distinct combinations appeared. The reason: the picking algorithm uses the pubkey as a seeded RNG, and Rust’s range sampling reuses the same underlying float across different bounds, so each pubkey lands at roughly the same percentile within every server’s pool. The result is that exit IPs across unrelated servers move in lockstep.

That per-key float is a fingerprint. The author built a tool that derives the float range implied by an observed set of exit IPs, narrowing a user down to roughly 0.3% of Mullvad’s base — a few hundred people out of an estimated 100,000. Correlating exit IPs from forum logs, breach data, or subpoenas against that range yields better than 99% confidence that two sessions belong to the same person, even when they used different Mullvad servers.

The likely cause is a subtle misunderstanding of how seeded RNGs behave when only the upper bound changes — a quirk that surprises most developers. Mitigations are limited: stay on one server per key, and force-rotate the pubkey by logging out of the Mullvad client to reset the fingerprint.