Mullvad
Mullvad is a virtual private network (VPN) service provider headquartered in Gothenburg, Sweden, founded in March 2009 by Fredrik Strömberg and Daniel Berntsson as a response to increasing concerns over digital surveillance and censorship.[1][2]
Operated by Mullvad VPN AB, a subsidiary of Amagicom AB wholly owned by its founders, the service prioritizes user anonymity by requiring no personal information, email addresses, or traditional account identifiers—instead using randomly generated account numbers—and accepts payments exclusively in fixed amounts via cash, cryptocurrency, or bank wire without linking to identities.[1][3]
Mullvad enforces a strict no-logging policy for user activity and metadata, has undergone independent audits to substantiate these claims, and employs protocols like WireGuard and OpenVPN alongside innovations such as multihop routing, encrypted DNS over the VPN tunnel, and quantum-resistant encryption to counter advanced threats.[4][3]
The company maintains open-source client applications, collaborates with organizations like the Tor Project on tools such as the Mullvad Browser, and commits to long-term independence without external investment or sale, driven by an idealistic vision of rendering mass surveillance impractical.[3][2][5]
History
Founding and Early Years
Mullvad VPN was launched in March 2009 by Amagicom AB, a Swedish company founded by Fredrik Strömberg and Daniel Berntsson in Gothenburg.[1] The service's development originated in the summer of 2008, driven by the founders' idealistic commitment to privacy as a cornerstone of civilized society and their aim to render censorship and mass surveillance impractical through technological means.[2][1] Amagicom AB's name draws from the ancient Sumerian term "ama-gi," which translates to "freedom" and underscores the emphasis on secure, unrestricted communication.[1] From inception, Mullvad prioritized user anonymity and minimal data retention, operating without requiring personal information for account creation or usage.[1] The initial service relied on the OpenVPN protocol for secure connections, establishing a foundation for encrypted tunneling that aligned with its privacy-focused ethos.[6] Early operations grew organically without external investment, reflecting the founders' vision of sustainable, principle-driven entrepreneurship rather than profit maximization.[2] Key innovations in the nascent phase included the introduction of Bitcoin payments in July 2010, enabling pseudonymous transactions, followed by cash payment options in September 2010 to further accommodate anonymous users.[1] These features distinguished Mullvad from contemporaries by minimizing traceable financial interactions, reinforcing its commitment to user sovereignty amid rising concerns over digital surveillance in the late 2000s.[6] By addressing early security vulnerabilities, such as those related to OpenVPN in 2014, the service demonstrated proactive resilience during its formative years.[1]Expansion and Technological Advancements
In 2016, Mullvad expanded its server infrastructure by 150%, increasing from 23 to 59 servers and adding locations in 13 new countries including Austria, Belgium, Bulgaria, Czech Republic, Denmark, Italy, Lithuania, Norway, Romania, Singapore, Spain, Switzerland, and the United Kingdom.[7] The company also hired two full-time employees and released updated client software with signed releases for enhanced security verification, alongside introducing SOCKS5 proxy support on all servers and upgrading server hardware to bolster protection against vulnerabilities.[7] By 2017, server capacity grew further by 175% to 162 locations across 27 countries, while the team expanded with four additional employees and three consultants.[8] That year, Mullvad became an early adopter of the WireGuard protocol, announcing its availability in March and contributing significantly to its development to prioritize speed and simplicity over legacy options like OpenVPN.[9] In December, the company introduced a post-quantum secure VPN tunnel, employing hybrid encryption schemes resistant to potential quantum computing threats, marking an proactive step in cryptographic advancement.[10] Subsequent years saw continued infrastructure scaling, with Mullvad operating over 700 servers in 49 countries by 2025, emphasizing owned and rented hardware for reliability.[11] In 2019, the company launched its System Transparency initiative, aiming to verify server software integrity through open-source firmware ports and partnerships, such as with Mozilla for shared server resources.[1] This evolved in January 2022 with the deployment of RAM-only WireGuard servers to eliminate persistent storage risks, expanding to over 20 servers by late 2024 with plans for broader rollout in 2025.[1][12] Technological progress accelerated in 2024 with the introduction of DAITA (Defense Against AI-guided Traffic Analysis), a feature using fixed packet sizes, randomized background traffic, and data distortion to counter machine learning-based metadata analysis that could deanonymize encrypted VPN flows even without content decryption.[13] DAITA rolled out progressively across platforms, reaching Linux and macOS in September 2024, Android in October 2024, and iOS shortly thereafter, with a version 2 update in 2025 enhancing performance against AI fingerprinting.[14][15] In September 2025, Mullvad implemented QUIC obfuscation for WireGuard on desktop apps (version 2025.9), tunneling UDP traffic via HTTP/3 to masquerade it as innocuous web activity, aiding circumvention in censored environments like China and Russia; mobile support followed in October.[16] These developments reflect Mullvad's focus on verifiable, forward-looking privacy enhancements amid growing surveillance capabilities.[1]Legal and Regulatory Challenges
In April 2023, Swedish police executed a search warrant at Mullvad VPN's offices in an attempt to seize servers and computers containing customer connection data linked to a criminal investigation.[17] The company successfully challenged the scope of the warrant, arguing under Swedish law that authorities lacked reasonable grounds to expect relevant data on the premises, as Mullvad maintains a verified no-logs policy with no stored user activity or metadata.[17] No customer information was found or compromised, demonstrating the practical enforcement of Mullvad's privacy commitments despite law enforcement demands.[18] Mullvad operates under Swedish jurisdiction, which imposes no mandatory data retention requirements on VPN providers, unlike the repealed Law on Electronic Communications (LEK) that previously applied to telecommunications but exempts encrypted VPN traffic.[19] The company complies with the General Data Protection Regulation (GDPR) for minimal operational data, such as payment processing, but explicitly states it cannot be compelled to log user activity or metadata for surveillance purposes.[20] In response to formal requests, Mullvad refers authorities to its no-logs policy and, if necessary, would consider service shutdown over forced spying.[20] Broader regulatory pressures in the European Union pose ongoing challenges, with an EU expert group in March 2025 identifying VPN services as obstacles to law enforcement investigations, potentially leading to targeted legislation.[21] Mullvad has opposed proposals for encryption backdoors or expanded surveillance, such as under the Swedish Covert Surveillance of Data Act (effective 2020–2025), which allows limited metadata access for national security but does not mandate provider-side logging.[22] These tensions highlight VPN providers' vulnerability to evolving EU-wide rules prioritizing investigative access over privacy, though Sweden's framework remains relatively permissive compared to jurisdictions like the UK or Australia with stricter retention mandates.[19]Company and Operations
Ownership Structure and Location
Mullvad VPN is operated by Mullvad VPN AB, a wholly-owned subsidiary of Amagicom AB, which was founded on April 23, 2009, in Sweden by Fredrik Strömberg and Daniel Berntsson.[1] Amagicom AB, meaning "free communication" in a constructed term, serves as the parent entity and maintains full control over the VPN service without external investors, venture capital, or plans for acquisition, as affirmed by the founders in 2021.[2] This structure ensures operational independence, with the founders actively involved in decision-making to prioritize privacy-focused development over profit maximization.[1] Amagicom AB is privately held, with 100% ownership divided equally between Strömberg and Berntsson, who each own 50% of the shares and remain the sole shareholders as of the latest public statements.[2] [1] The company is headquartered in Gothenburg, Sweden, at Box 53049, with the postal code 400 14, operating under Swedish corporate law as an aktiebolag (AB), a private limited company structure that limits public disclosure of detailed financials beyond annual reports filed with Swedish authorities.[1] This location subjects Mullvad to Sweden's Electronic Communications Act, which influences data retention obligations but aligns with the company's no-logs policy commitments, though it places it within the Fourteen Eyes intelligence-sharing alliance.[23]Business Model and Pricing
Mullvad operates a subscription-based business model, deriving all revenue exclusively from customer payments for VPN access without reliance on advertising, data sales, or affiliate partnerships.[24] The company, structured as a private entity under Amagicom AB in Sweden, prioritizes long-term sustainability over profit maximization or acquisition, having committed since its 2008 inception to idealistic goals of enhancing user privacy rather than pursuing sale or expansion into data-driven revenue streams.[2] This approach avoids common industry practices like tiered plans or upselling, focusing instead on uniform service delivery to maintain operational transparency and user trust.[25] Pricing remains fixed at €5 per month (approximately $5.40–$5.80 USD, depending on exchange rates) across all subscription durations, including one month, one year, or even one decade, with no discounts for longer commitments to promote flexibility and discourage lock-in effects.[26] This structure, unchanged since 2009, positions Mullvad as one of the more affordable VPN options on a per-month basis, though it eschews promotional trials or bundles to align with its privacy ethos.[25] Value-added tax (VAT) is included in the quoted price for applicable regions.[26] To support anonymity, Mullvad accepts a range of payment methods, including cash sent by mail, cryptocurrencies such as Monero and Bitcoin, and bank transfers, which minimize traceable personal data compared to credit cards or PayPal.[27] [28] Accounts use randomly generated numbers rather than emails or identifiers, enabling sign-up without personal verification, though non-anonymous payments may retain minimal transaction records for billing compliance under regulations like GDPR.[4] This payment flexibility reinforces the model's emphasis on user control over privacy, even at the cost of higher administrative overhead.[29]VPN Service Features
Protocols and Encryption
Mullvad VPN supports two tunneling protocols: WireGuard as the primary and default option across its client applications, and OpenVPN as a legacy alternative scheduled for complete removal on January 15, 2026.[30] WireGuard employs state-of-the-art cryptography, including ChaCha20 symmetric encryption authenticated with Poly1305 (per RFC 7539 AEAD), Curve25519 for elliptic curve Diffie-Hellman key exchange, BLAKE2s hashing (RFC 7693), HKDF key derivation (RFC 5869), and a Noise_IK handshake over UDP for secure session establishment.[31] This design results in a compact codebase of under 7,000 lines, minimizing the attack surface compared to alternatives like OpenVPN or IPsec, while enabling high performance without requiring activity logging.[31] For OpenVPN, Mullvad enforces strict configurations limited to TLS 1.3 on the control channel with ciphers TLS_CHACHA20_POLY1305_SHA256 and TLS_AES_256_GCM_SHA384 (minimum TLS 1.2), and data channel options of ChaCha20-Poly1305 or AES-256-GCM.[3] Server authentication relies on 4096-bit RSA certificates signed with SHA512, with perfect forward secrecy via 4096-bit Diffie-Hellman parameters and ephemeral Diffie-Hellman (DHE) key exchange; keys re-exchange every 60 minutes.[3] These measures prioritize security by excluding weaker legacy ciphers and ensuring forward secrecy, though OpenVPN's larger codebase and complexity make it less efficient than WireGuard.[31] In Mullvad's implementation, WireGuard keys rotate every two weeks to mitigate static IP correlation risks, with public keys cleared from server RAM after 600 seconds of inactivity; the protocol supports up to five simultaneous devices per account via unique keys.[31] Both protocols route all traffic through Mullvad's servers, but WireGuard's simplicity and speed position it as the recommended choice for most users, with no observed increase in leak vulnerabilities when properly configured.[31]Server Network and Infrastructure
Mullvad maintains a global network comprising 710 VPN servers distributed across 49 countries and 89 cities, utilizing infrastructure from 15 distinct hosting providers.[32] This setup ensures broad geographic coverage without reliance on virtual servers or fabricated locations, as all servers are physically situated in the listed jurisdictions.[33] The company sources servers either through direct ownership, over which it exercises physical control, or via dedicated rentals that preclude shared hosting arrangements.[33] To enhance security and preclude persistent data storage, Mullvad's entire VPN infrastructure operates on RAM-only servers, eliminating disks entirely; this migration was fully completed on September 20, 2023.[34] Servers run a custom-hardened Linux kernel based on Ubuntu LTS, with isolated remote management via bastion hosts to prevent direct access by providers.[33] High-speed fiber wavelength connections link key data centers in Amsterdam to hubs in Frankfurt, London, Paris, Malmö, and Zurich, optimizing inter-server traffic routing.[33] The infrastructure undergoes periodic independent audits, with the fourth review by Cure53 completed in June 2024 confirming implemented security measures, and a subsequent audit scheduled for 2025.[35] This diskless design aligns with Mullvad's no-logs policy by ensuring no residual data survives server reboots or power cycles, thereby minimizing forensic risks in the event of seizures or compelled access.[33]Client Applications and Usability
Mullvad offers native VPN client applications for Windows 10 and later, macOS, various Linux distributions including Ubuntu and Debian, Android 8.0 and above, and iOS.[36][37][38] The applications are open-source and available via official downloads or GitHub releases, enabling users to verify the software independently.[39] Account setup requires no personal information; users generate a 16-digit account number for anonymous access, with payments accepted via cash, crypto, or other methods to maintain privacy.[40] The desktop clients for Windows, macOS, and Linux feature a minimalistic interface prioritizing simplicity, where users can connect to the VPN with one click after login, automatically selecting optimal WireGuard servers for speed and reliability.[40] Usability enhancements include an always-on kill switch that blocks all internet traffic upon connection failure or app closure, preventing data leaks; split tunneling to route specific apps or domains outside the VPN; and options for custom local DNS servers.[40][41] Advanced configurations, such as WireGuard key rotation and traffic obfuscation, are accessible via settings without requiring command-line intervention, though Linux users can also utilize CLI tools for scripting.[40] Reviews note the consistent, user-friendly design across desktop platforms, with intuitive server selection and real-time connection status indicators.[42][43] Mobile applications for Android and iOS mirror desktop functionality, supporting WireGuard for efficient performance on limited resources, with automatic connection on untrusted networks via app settings.[38][40] Key features include split tunneling, kill switch, and recent additions like QUIC-based obfuscation rolled out in version 2025.8 on October 20, 2025, to disguise WireGuard traffic and evade censorship in restrictive environments.[44] Android-specific updates, such as multihop routing introduced in version 2025.1 on March 29, 2025, allow chaining servers for enhanced anonymity, configurable within the app.[45] iOS improvements have addressed earlier interface limitations, providing smoother navigation and blocking features, though platform restrictions limit some desktop-level customizations.[43] App verification tools ensure authenticity before installation, bolstering trust in mobile deployments.[46] Complementing the VPN clients, Mullvad provides the Mullvad Browser, a modified Firefox ESR version developed with the Tor Project, focusing on anti-fingerprinting and reduced tracking rather than VPN integration.[47] It enforces uniform window sizes, isolates cookies per domain, and disables telemetry for usability in privacy-sensitive scenarios, downloadable for Windows 10+, macOS, and Linux.[48] A separate Firefox extension adds VPN-specific tools like IP/DNS leak detection, proxy chaining, and a browser-level kill switch, enhancing control without full browser replacement.[49][50] These tools promote layered privacy but require manual configuration for optimal usability alongside the core VPN app.[47]
Privacy and Security Measures
Anonymity and Account Management
Mullvad enables account creation without requiring any personal identifying information, such as a username, email address, or password. Users generate a unique random account number—currently 16 alphanumeric characters long for improved security—upon initial subscription purchase, which serves as the sole identifier for accessing the service. This approach eliminates traditional registration hurdles that could link users to real-world identities, aligning with the company's policy of minimizing data collection to preserve user anonymity.[4][51] Account management relies on this number for login and subscription handling via the Mullvad app or website, with no associated personal profiles or recovery options available. If an account number is lost, users cannot retrieve it, as no backup identifiers or support tickets are maintained; instead, a new account must be created, transferring any unused credit manually if possible. This design prioritizes privacy over convenience, preventing the storage of recoverable user data that could be subpoenaed or compromised. Subscriptions are prepaid in fixed increments, such as €5 per month, funded through the account dashboard without ongoing billing tied to external financial records.[4][52][53] To support anonymous funding, Mullvad accepts payments via privacy-focused methods including cash sent by mail, cryptocurrencies like Monero and Bitcoin, and prepaid cards, alongside conventional options like credit cards that are processed without retaining linking metadata. Cash payments, for instance, allow complete detachment from digital trails, as vouchers are mailed without requiring sender details beyond the account number. The company processes these without logging activity metadata or associating payments with IP addresses beyond immediate verification, ensuring that even payment records do not compromise user anonymity unless legally compelled.[4][27][28] This framework extends to operational anonymity, where the VPN app connects using the account number without transmitting personal data to servers, and no session logs are kept to correlate usage patterns. Independent audits have verified the absence of persistent identifiers, reinforcing claims of non-attributable access, though users must still manage their own operational security, such as avoiding reuse of account numbers across devices or networks. Limitations include the inability to automate renewals anonymously without recurring traceable payments, potentially requiring manual intervention.[29][4]No-Logs Policy and Independent Audits
Mullvad operates under a strict no-logs policy, committing to store no user activity data, including connection timestamps, original IP addresses, session bandwidth, or traffic destinations. The company retains only ephemeral data necessary for active VPN sessions, such as temporary WireGuard keys generated upon connection and deleted immediately after disconnection, ensuring no persistent identifiers link sessions to accounts. Accounts are identified solely by randomly generated numbers without requiring personal information like email addresses, and payment methods support anonymity through options like cash or Monero. This minimal retention approach is designed to prevent any reconstruction of user activity even under legal compulsion.[4][54] The policy's implementation has been scrutinized through multiple independent security audits of Mullvad's VPN infrastructure and server code, which explicitly examined for unauthorized logging or data leakage. A 2022 audit of VPN servers by a Gothenburg-based security firm confirmed no information leakage or customer data logging mechanisms. Subsequent infrastructure audits by Cure53 in 2020 and 2024 similarly found no personally identifiable information (PII) retention or privacy leaks, with the 2024 review of WireGuard and OpenVPN relay code identifying only two low- to medium-severity issues unrelated to logging, while affirming a strong overall security posture. A 2023 audit by Radically Open Security reviewed server access and deployment pipelines, recommending auditable login tracking but uncovering no evidence of customer data persistence. These audits, focusing on source code and operational systems, corroborate the absence of logging capabilities.[55][56][35][57] Real-world validation occurred during a Swedish police raid on April 18, 2023, when the National Operations Department executed a search warrant at Mullvad's offices seeking customer data related to an investigation. Officers seized servers and computers but departed without obtaining any user information, as no logs or identifying data existed to seize. Mullvad's subsequent request for disclosure protocols from authorities confirmed zero customer data was accessed or retained, demonstrating the policy's effectiveness against compelled disclosure. Client-side audits, such as Cure53's 2020 review and X41 D-Sec's 2024 assessment, further support secure non-logging by identifying only minor, non-persistent vulnerabilities in the applications. A 2025 web app audit by Assured AB detected no critical or high-severity flaws, reinforcing endpoint integrity.[17][18][58][59][60]Response to Government Inquiries and Raids
On April 18, 2023, at least six officers from Sweden's National Operations Department (NOA) visited Mullvad's office in Gothenburg with a search warrant authorizing the seizure of computers containing customer data linked to an IP address identified in an ongoing criminal investigation.[17] The warrant stemmed from police efforts to trace activity associated with the VPN service, but Mullvad staff informed the officers that no user logs or personal data were retained, as per the company's strict no-logs policy.[17] Consequently, the police departed without confiscating any equipment or obtaining identifiable information, confirming that Mullvad held no relevant records.[17][61] Mullvad publicly disclosed the incident on April 20, 2023, via its official blog, emphasizing that the event validated its privacy commitments and that customer anonymity remained intact.[17] The company had previously operated for over 14 years without any reported law enforcement visits, a claim substantiated by this first encounter yielding no data.[62] In a follow-up on May 2, 2023, Mullvad shared the authorities' response to its request for the search protocol, which clarified that the probe involved an IP address routing through Mullvad but provided no specifics on the underlying offense, maintaining the investigation's confidentiality.[62] This raid highlighted Mullvad's operational design to resist data disclosure: account numbers are randomly generated without ties to personal identifiers, payments can be anonymous (e.g., via cash or cryptocurrency), and servers retain no activity logs.[17] Independent analyses post-incident, including from cybersecurity outlets, affirmed the event as empirical proof of Mullvad's no-logs adherence, distinguishing it from providers compelled to retain data under legal mandates in other jurisdictions.[18] No further government actions or inquiries against Mullvad have been publicly documented as of October 2025.[62]Performance Evaluations
Speed and Latency Testing
Independent evaluations of Mullvad VPN's performance, primarily using the WireGuard protocol for its efficiency, reveal competitive download speeds with moderate latency increases attributable to encryption overhead and geographical distance. Tests conducted via tools such as Ookla Speedtest on high-speed baseline connections (often 400+ Mbps unprotected) show average speed losses ranging from 8% to 39%, depending on server proximity and load.[42][63][64] In CNET's March and August 2025 assessments across macOS and Windows, Mullvad averaged a 24% speed reduction overall, with stable results including 7% loss to nearby European servers from Ohio. Download speeds reached 350 Mbps to New York servers on macOS and 280 Mbps on Windows, dropping to 250-290 Mbps (macOS) and 190-220 Mbps (Windows) for Australian connections; upload speeds followed similar patterns but were less emphasized in reporting. WireGuard proved consistently faster than OpenVPN in most scenarios, though OpenVPN occasionally edged it on Windows.[42] VPNMentor's 2025 tests highlighted variability, with 27% average loss on nearby servers and 39% on distant ones using WireGuard exclusively; some connections even exceeded baseline speeds, while outliers dropped up to 45% due to potential overcrowding. Latency remained under 85 ms on local servers, adequate for real-time applications like gaming, but elevated on remote ones, aligning with typical VPN-induced delays of 50-150 ms reported elsewhere for European servers.[63][11]| Source | Test Year | Average Speed Loss | Latency Notes |
|---|---|---|---|
| CNET | 2025 | 24% overall | Minimal (e.g., 7% loss nearby); stable across OS |
| VPNMentor | 2025 | 27% nearby, 39% distant | <85 ms local; higher distant |
| AllAboutCookies | 2025 | 8% overall | Not specified |