# Mullvad VPN

> Privacy-focused VPN. No account needed. No logging. Pay with cash or crypto.

**Source:** https://fieldwork.news/tools/mullvad-vpn
**Official site:** https://mullvad.net
**Category:** security

## Security rating

- **Rating:** strong
- **Rating note (required when citing):** No-logs policy verified by five independent audits (2024-2026) and a real-world police raid. RAM-only servers across entire 700+ node network. No account or email required. All clients open-source (GPL-3.0, Rust-based). Post-quantum WireGuard enabled by default on all platforms. DAITA v2 counters AI traffic analysis. Swedish jurisdiction does not require VPN data retention. GotaTun WireGuard implementation passed independent audit with no major findings. The gold standard for VPN privacy.
- **Reviewed by:** Editorial assessment by Mike Schneider — independent security review pending
- **Review depth:** established
- **Last reviewed:** 2026-04-02
- **Last agent-verified:** 2026-04-02
- **Threat level:** high-risk

> AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment.

## Who it is for

Journalists investigating sensitive topics, working from hostile networks, or needing to obscure their IP from surveillance-capable adversaries. Also useful for researchers, activists, and anyone whose browsing patterns could be used against them.

## Editorial take

Mullvad is the most privacy-respecting VPN available. No email required — you get a random 16-digit account number. No logs, verified by multiple independent audits (X41 D-Sec, Assured Security Consultants, Cure53, NCC Group) and a real-world police raid in April 2023 where Swedish authorities seized nothing because there was nothing to seize. All 700+ servers run entirely on RAM with zero persistent storage. DAITA v2 (March 2025) adds AI traffic analysis resistance — constant packet sizes, dummy traffic injection, server-defined dynamic configs — available on 40+ servers across 15 countries. Post-quantum WireGuard enabled by default on all platforms. GotaTun, their new Rust-based WireGuard implementation (December 2025), cut Android crash rates from 0.40% to 0.01% and passed its first independent audit in early 2026 with no major vulnerabilities. The €5/month flat rate since 2009 with no VC funding signals a company that optimizes for privacy, not growth. If you need a VPN, this is the one.

## Best for / not for

**Best for:** Obscuring your IP while researching sensitive topics. Working from public or untrusted Wi-Fi. Circumventing geographic restrictions on news sources. Defeating AI-powered traffic analysis with DAITA. Post-quantum protection against future decryption of recorded traffic.

**Not for:** Mullvad hides your IP from destination websites but can see your traffic metadata (not content — WireGuard encrypts that). For true anonymity where no single entity sees both who you are and what you access, use Tor Browser. Mullvad's server network (~700 servers, 49 countries) is smaller than ProtonVPN or NordVPN, so not ideal if you need many geographic options or fast streaming. Speeds peak around 350 Mbps — fine for research, not optimized for 4K streaming.

## Pricing

- **Pricing:** €5/month flat. Same price since 2009 — no tiers, no annual discount, no upselling. Pay with cash mailed to Sweden, crypto (10% discount), or card. 14-day refund window (reduced from 30 days in 2025).
- **Free option:** no

## Security & privacy details

- **Encryption in transit:** yes
- **Encryption at rest:** yes
- **Data jurisdiction:** Sweden. Mullvad VPN AB is subject to Swedish law. Sweden's Electronic Communications Act (LEK) mandates data retention for ISPs but explicitly does not apply to VPN providers. The Covert Surveillance of Data Act (made permanent April 2025) allows court-ordered monitoring, but requires data to exist — Mullvad's RAM-only architecture means there is nothing to intercept retroactively. Sweden is a 14 Eyes country, which makes some threat modelers nervous, but Mullvad's architecture makes the jurisdiction largely moot. Worth watching: an EU-wide data retention proposal targeting VPN providers is expected in the first half of 2026.

**Privacy policy TL;DR:** No activity logs, no connection logs, no IP addresses, no bandwidth data, no account activity, no DNS queries. Servers run entirely on RAM — data is gone on reboot. Account numbers are random 16-digit strings with no linked email or identity. In April 2023, Swedish police raided Mullvad's Gothenburg office with a search warrant and left empty-handed. Audit trail: Cure53 infrastructure audit (June 2024, no critical issues), X41 D-Sec app penetration test (November 2024, six findings — zero critical, three high, all fixed), Assured Security Consultants web app audit (August 2025, no medium+ issues), NCC Group Android MASA assessment (March 2025, passed all controls), Assured Security GotaTun audit (February 2026, no major vulnerabilities).

**Practical mitigations (operational guidance, not optional):**

Use WireGuard (post-quantum enabled by default) for best performance and future-proof encryption. Enable DAITA on supported servers if you are concerned about AI-powered traffic fingerprinting — it roughly doubles bandwidth use but makes pattern analysis dramatically harder. Enable the kill switch to prevent traffic leaks on disconnect. Use multihop (available on all platforms as of March 2025) to route through two servers when you need extra separation. Do not log into personal accounts while VPN is active if your goal is identity separation. For full anonymity, layer Tor Browser over the VPN. Mullvad Browser (co-developed with the Tor Project) is a good middle ground — Tor's fingerprinting resistance without the Tor network.

## Ownership & business

- **Owner:** Mullvad VPN AB
- **Funding model:** Self-funded since 2009. No venture capital. No outside investors.
- **Business model:** Paid subscriptions only. €5/month flat rate unchanged since founding. No free tier, no ads, no data monetization. Revenue comes exclusively from subscriptions. The company donates hundreds of thousands of free accounts yearly to privacy-focused organizations.
- **Open source:** yes

**Known issues:** In 2023, donated Mullvad account numbers appeared on dark web forums, triggering breach headlines. Mullvad confirmed these were freely distributed accounts — no personal data was attached because Mullvad accounts have no personal data. The X41 D-Sec penetration test (November 2024) found three high-severity vulnerabilities in the desktop and mobile apps; all were fixed before the audit report was published. DAITA is only available on ~40 of 700+ servers, so most connections do not have traffic analysis protection. Server network is smaller than competitors (~700 vs. ProtonVPN's 6,000+), limiting geographic options. ProtonVPN now undercuts Mullvad on price at $2.99/month (annual plan) vs. Mullvad's ~$5.50/month equivalent.

---
Canonical HTML: https://fieldwork.news/tools/mullvad-vpn
Full dataset: https://fieldwork.news/llms-full.txt
Methodology: https://fieldwork.news/methodology