Is Mullvad VPN Safe?
The 2026 Security Audit
People always ask me if Mullvad is safe. It's the wrong question. The right question is: "If the police kick down their door, do they have anything to give them?" I've looked at the architecture, the audits, and the legal history. Here is the answer.
The Short Answer
Is it safe? Yes.
Mullvad is often cited as one of the more privacy‑focused consumer VPNs. Unlike competitors that focus on marketing or streaming, Mullvad focuses entirely on anonymity.
They operate on an account‑number login system and do not require an email address to create an account (unless you choose to share one, e.g., when contacting support). If an agency demands activity logs (traffic, browsing, DNS history, connection timestamps), Mullvad says they don’t have that data. However, they still store some account and configuration data needed to run the service (e.g., your account number and expiry date, and your WireGuard public key plus its internal tunnel IP address as long as that key exists on your account).
(Note: If you are looking for details on speed, streaming performance, and ease of use, you should check our full Mullvad VPN review instead.)
The 2023 Police Search
The Ultimate Stress Test
Theoretical safety is one thing; practical reality is another. On 18 April 2023, the Swedish Police (Polisen) visited Mullvad's Gothenburg offices with a search warrant. They intended to seize computers containing customer data.
Mullvad explained that they do not store customer activity logs and that customer data the police sought did not exist; the police left without taking anything. This event provided a real‑world test of Mullvad’s claims: Mullvad says the police left without seizing anything because the customer activity data they were looking for did not exist.
The No-Logs Policy
Mullvad's logging policy is strict. They do not log traffic, DNS requests, or connection timestamps. But the real security innovation is in how they handle accounts.
Anonymous Accounts
When you sign up, the website generates a random 16-digit number. This number is your account. You do not provide a name, email, or phone number. If you pay via cash or privacy-preserving methods like Monero, you can greatly reduce what’s linkable to your identity — but your bank/merchant/payment provider can still create trails depending on how you fund the payment.
Technical Security
| Protocol | WireGuard (OpenVPN support removed 15 Jan 2026) | WireGuard uses state-of-the-art cryptography (ChaCha20, Poly1305) and has a smaller codebase, making it easier to audit for vulnerabilities. |
| Server Type | RAM-Only (Diskless) | Mullvad has migrated its VPN infrastructure to RAM-only (diskless) servers, so there are no VPN server disks to extract. Mullvad says servers boot from a fresh image on reboot/provisioning with no traces of log files on disk. |
| Encryption | WireGuard: ChaCha20-Poly1305 | WireGuard uses modern authenticated encryption (ChaCha20‑Poly1305). |
| Key Management | Manual rotation (Regenerate/Replace WireGuard key) | WireGuard uses a static keypair plus ephemeral session keys; Mullvad lets you regenerate your WireGuard key (and associated tunnel addressing), which can reduce long-term correlation. |
DAITA & Quantum Resistance
DAITA (Defense against AI‑guided Traffic Analysis) is designed to make traffic analysis harder by shaping traffic patterns (e.g., constant packet sizes) and adding random background traffic. DAITA is only available on selected relays, so you must choose a DAITA-capable relay in the app.
Mullvad supports quantum‑resistant WireGuard tunnels, and since the 2025.2 desktop release it’s enabled by default on desktop (it can still be turned off in settings).
The Sweden Factor
Is Sweden Safe?
Sweden is a member of the 14 Eyes intelligence alliance. This is often cited as a risk factor.
Jurisdiction still matters because it determines what legal powers can be used against a provider. Mullvad argues that Sweden’s Electronic Communications Act (LEK) does not apply to VPN services, so Swedish law does not require VPNs to retain traffic/connection logs — which limits what can be compelled in terms of historical logs. However, Swedish jurisdiction still allows measures like search warrants, and laws can change over time.
Audit History
Mullvad regularly engages external firms to audit their apps and infrastructure. Here are the highlights:
- Published Jan 2026: Account and payment services audit by X41 D‑Sec (engagement performed in 2025; report published in Jan 2026).
- 2025 (Oct): Web app penetration test by Assured AB (published Oct 2025).
- 2024 (Jun): Relay infrastructure audit by Cure53 (published Jun 2024).
- 2021 (Jan): Infrastructure audit write-up by Cure53 (published Jan 2021).
For the full audit archive, see Mullvad’s published audit list. Mullvad currently does not run a bug bounty programme, but it does provide a process for reporting security vulnerabilities responsibly.
FAQs
Does Mullvad protect against malware?
Mullvad offers DNS filtering which can block known malware domains and trackers, but it is not an antivirus. You should still use endpoint protection on your device.
Can the police track me on Mullvad?
Mullvad’s no-logs design and shared exit IPs can make attribution harder. But identification can still happen through other means (e.g., logging into identifiable accounts, device compromise, browser fingerprinting, or traffic correlation).
Why did they remove port forwarding?
Mullvad removed port forwarding in 2023 after sustained abuse. They said it led to law enforcement contact, IP addresses being blacklisted, and hosting providers cancelling service — which negatively affected regular users. Existing forwarded ports were removed by 1 July 2023.
