This week a post titled "Mullvad exit IPs are surprisingly identifying" reached 613 points and 389 comments on Hacker News. A separate thread — "Who owns ExpressVPN, Nord, Surfshark?" — hit 673 points the same day. Together they made for a rough week for the VPN industry: the tools people buy for anonymity are turning into fingerprinting surfaces, while the companies behind them quietly consolidate.
This post is about the first problem — the exit-IP fingerprinting research — and the uncomfortable thing most privacy marketing won't tell you about it: every VPN tunnel has an exit IP. Including ours. Here's what that actually means for how you protect yourself.
What the Mullvad Research Found
The research at tmctmt.com showed that Mullvad's WireGuard exit IPs can act as a stable fingerprinting vector across servers. Because the pool of exit IPs a session draws from is small and predictable, an observer watching from several vantage points can correlate sessions that the user believes are independent. It isn't a bug that gets patched in a point release — it's a property of how shared-exit VPN infrastructure behaves at scale.
That matters because it exposes a gap between the promise of a VPN — that your traffic's origin is obscured — and the reality of how exit-node assignment works once you're one of millions of users sharing the same infrastructure.
Every Tunnel Has an Exit IP — Including Casper's
It would be easy to turn this into a sales pitch by claiming Casper's Cloak doesn't have this problem. We're not going to, because it wouldn't be true. Casper's Cloak includes an encrypted WireGuard tunnel, and like every VPN tunnel, that tunnel terminates at an exit IP. Any product that routes your traffic through a server — ours included — has an exit point that can, in principle, be analyzed. A tool that tells you it has "no exit IP" is either not actually a VPN, or not being straight with you.
So the lesson from the Mullvad research isn't "switch to the one magic VPN with no exit IP." There's no such thing. The lesson is that the tunnel was never the part of your privacy doing the heavy lifting in the first place.
Why "More Than a VPN" Is the Actual Point
A VPN tunnel changes where your traffic appears to come from. It does almost nothing about what's tracking you once it arrives — the ad networks, the cross-app identifiers, the malicious domains, the trackers baked into the apps themselves. That work happens at a different layer entirely.
Casper's Cloak is built around that layer. The encrypted tunnel is one component; the protection that actually reduces your exposure runs alongside it:
On-device threat detection. Real-time analysis of the connections your apps make, flagging phishing and known-malicious domains before they load.
DNS and network filtering. Blocking ad and tracker domains system-wide, across every app — not just inside the browser.
Anti-tracking. Cutting the cross-app identifiers and browsing-pattern analysis that follow you regardless of which exit IP you happen to be on.
Traffic camouflage. Decoy-traffic and obfuscation features ("Phantom Barriers") designed to make traffic-pattern analysis harder.
None of those depend on your exit IP being secret. They keep working whether or not someone can see where your tunnel terminates — which is exactly the property the Mullvad research showed a tunnel alone can't guarantee.
What to Do Right Now
If your privacy setup today is a VPN tunnel and nothing else, the Mullvad research is a good prompt to ask what's actually protecting you once your traffic arrives. The honest answer, for tunnel-only setups, is usually: not much.
Casper's Cloak combines on-device threat detection, DNS and network filtering, anti-tracking, and an encrypted WireGuard tunnel in a single app for iOS, macOS, and Android — one subscription instead of a VPN plus a separate ad blocker plus a DNS filter.
And if the other half of this week's news — who actually owns the big VPN brands — is the part that worries you, that's its own question. We wrote about it in Who Owns Your VPN?