vpn

Is Mullvad Safe? Security, Privacy & Audit Analysis

Is Mullvad safe? Independent audit results, encryption protocols, jurisdiction analysis, kill switch testing, and no-logs policy verification.

VPN.com Editorial Team · ·9 min read

Is Mullvad Safe? A Direct Assessment

Mullvad scores 86/100 on our trust index. It operates under Swedish jurisdiction, charges a flat €5/month with no accounts, and enforces a verified no-logs policy. Independent audits by Cure53 and Assured AB confirmed minimal vulnerabilities. Mullvad stores zero connection logs, traffic data, or personally identifiable information on its 700+ servers across 50+ countries.

Sweden belongs to the 14 Eyes intelligence-sharing alliance. That sounds alarming at first glance. In practice, the legal framework tells a more nuanced story for VPN providers.

Swedish law does not require VPN companies to retain user data. Mullvad has no mandatory data retention obligation under current Swedish telecommunications regulations. This means authorities can issue requests, but Mullvad has nothing stored to hand over.

In April 2023, Swedish police physically entered Mullvad’s office in Gothenburg with a search warrant. Officers intended to seize computers containing customer data. Mullvad staff explained no customer data existed on any machines, and police left empty-handed. That real-world test proved the no-logs policy holds under legal pressure.

Independent Audit History

Mullvad has completed multiple third-party security audits. Each audit examined different parts of the infrastructure and client applications.

Cure53 Audit (2020)

Cure53, a Berlin-based penetration testing firm, audited the Mullvad VPN apps in 2020. The team identified 7 vulnerabilities total: 2 rated medium severity, 5 rated low severity. Mullvad patched all 7 issues before publishing the full audit report publicly on its website.

Assured AB Audit (2023)

Assured AB conducted an infrastructure audit of Mullvad’s servers and internal systems in 2023. The assessment covered server configurations, encryption implementation, and data handling procedures. Results confirmed that Mullvad’s infrastructure matched its public no-logs claims. No critical vulnerabilities were discovered during this engagement.

Cure53 App Audit (2023)

Cure53 returned for a second round in 2023, focusing on updated app code. This follow-up found fewer issues than the 2020 audit. Mullvad addressed all findings and again released the complete report for public review.

Publishing full audit reports is uncommon in the VPN industry. Mullvad does not redact findings or cherry-pick favorable results. That transparency adds significant weight to its security claims.

Logging Policy: What Mullvad Stores and Doesn’t Store

Data Mullvad Does Not Collect

Mullvad does not log traffic data, connection timestamps, session durations, or IP addresses. It stores no DNS queries, bandwidth usage records, or VPN server assignments. Account activity remains completely unlinked to browsing behavior or connection metadata.

Data Mullvad Does Process

Mullvad processes the total number of simultaneous connections per account (capped at 5). This counter exists in real time and is not written to any persistent storage. The moment you disconnect, that counter decrements. No historical record persists.

Mullvad also processes short-term aggregate server load data for performance optimization. This data contains zero user-identifiable information and rotates automatically.

The Account System

Mullvad generates a random 16-digit account number. No email, no name, no password required. You can pay with cash mailed in an envelope, Bitcoin, or Monero. This design eliminates personally identifiable information from the signup process entirely.

Encryption Standards and Protocols

Mullvad supports two protocols: WireGuard and OpenVPN. Both implementations use strong, well-reviewed cryptographic standards.

WireGuard Implementation

WireGuard uses ChaCha20 for symmetric encryption, Curve25519 for key exchange, and BLAKE2s for hashing. Mullvad defaults to WireGuard on all platforms. Connection handshakes complete in under 100 milliseconds on most networks.

OpenVPN Implementation

OpenVPN connections use AES-256-GCM for data channel encryption. Key exchange relies on RSA-4096 certificates with SHA-512 authentication. Mullvad configures OpenVPN with tls-auth to prevent fingerprinting and DDoS attacks on the VPN tunnel.

Quantum-Resistant Tunnels

Mullvad added post-quantum key exchange to WireGuard tunnels in 2023. This feature layers Classic McEliece and Kyber key encapsulation on top of standard WireGuard cryptography. Mullvad was the first commercial VPN to ship this feature across desktop platforms.

Kill Switch and DNS Leak Protection

Kill Switch Behavior

Mullvad’s kill switch activates by default on all platforms. It blocks all internet traffic when the VPN tunnel drops unexpectedly. The implementation operates at the firewall level, not the application level. This prevents leaks even if the Mullvad app crashes entirely.

On Linux, Mullvad uses nftables rules to enforce traffic blocking. On Windows, it modifies the Windows Filtering Platform. On macOS, it uses packet filter rules. Each implementation prevents both IPv4 and IPv6 leaks simultaneously.

DNS Leak Protection

Mullvad routes all DNS queries through its own encrypted DNS servers. The app blocks system DNS requests that attempt to bypass the tunnel. Mullvad operates DNS servers on every VPN server location, resolving queries locally without forwarding to third parties.

Users can also configure custom DNS within the app. Even with custom DNS, queries still travel inside the encrypted tunnel. Independent leak tests consistently show zero DNS, WebRTC, or IPv6 leaks across all Mullvad clients.

Past Security Incidents

Police Raid (April 2023)

Six officers from the Swedish National Police entered Mullvad’s Gothenburg office. They carried a district court search warrant seeking customer information. Mullvad’s CEO explained the company stores no customer data. Police seized no equipment and left after Mullvad’s legal team challenged the warrant’s applicability.

No Known Data Breaches

As of the latest audit cycle, Mullvad has reported zero data breaches. No user data has appeared in leaked databases. No credential stuffing attacks apply because Mullvad uses no passwords or email addresses. The 16-digit account number system limits attack surface substantially.

Vulnerability Disclosures

Mullvad maintains an active bug bounty approach and publishes security advisories on its blog. All vulnerabilities found during audits received patches within weeks of discovery. The company has not experienced any zero-day exploitation of its production infrastructure.

Unique Security Features

DAITA (Defense Against AI-Guided Traffic Analysis)

Mullvad developed DAITA to counter traffic analysis attacks. This feature pads packets to uniform sizes and injects decoy traffic patterns. It prevents adversaries from identifying which websites users visit based on traffic fingerprints.

Encrypted DNS Over HTTPS (DoH)

Mullvad offers a public DoH service at dns.mullvad.net. Users can encrypt DNS queries even without the VPN running. The service includes optional ad-blocking and tracker-blocking DNS profiles.

Diskless RAM-Only Servers

Mullvad runs its entire server fleet in RAM-only mode. No hard drives exist in the servers. Every reboot wipes all data completely. This architecture ensures that physical server seizures yield zero usable information.

Multihop Routing

Users can route traffic through 2 separate VPN servers in different countries. This adds a second encryption layer and separates the entry point from the exit point. Multihop is configurable directly within the app without manual setup.

Frequently Asked Questions

Does Mullvad Keep Logs?

Mullvad keeps zero persistent logs. No traffic logs, connection timestamps, IP addresses, or session data touch disk storage. Two independent audits verified this claim. The RAM-only server infrastructure ensures even temporary data vanishes on reboot. Mullvad’s 2023 police raid confirmed that no user data existed to seize.

Has Mullvad Been Hacked?

Mullvad has not been hacked. No data breaches or unauthorized access events have been publicly reported or discovered during audits. The passwordless account system and RAM-only servers reduce the attack surface below typical VPN providers. Cure53 found no critical vulnerabilities during either the 2020 or 2023 audits.

Is Mullvad Trustworthy?

Mullvad demonstrates trustworthiness through repeated independent audits, full report transparency, and a real-world legal test. The company publishes its source code openly on GitHub. It accepts anonymous cash payments. It survived a police search without yielding any data. These verified actions carry more weight than marketing promises.

Can Mullvad See My Data?

Mullvad cannot see your browsing data. Traffic inside the VPN tunnel uses AES-256 or ChaCha20 encryption. Mullvad’s servers process encrypted packets but do not inspect, record, or store content. The RAM-only architecture prevents any temporary processing data from persisting beyond the active session.

The Bottom Line on Mullvad’s Security

Mullvad earns its 86/100 trust score through architecture, not promises. RAM-only servers, account anonymity, published audit reports, and a verified police raid outcome set it apart. The €5/month flat rate with no trials or discounts reflects a company focused on service rather than subscriber volume. For users who prioritize privacy verification over feature count, Mullvad remains one of the strongest options available across its 700+ servers in 50+ countries.