Mullvad: the VPN that handed police nothing — because there was nothing to hand over.

How it works

Mullvad is a flat-rate Swedish VPN run by Amagicom AB out of Gothenburg, in business since 2009. There is no tiered pricing and no upsell. Five euros a month buys a single product: a routed connection to roughly forty server locations, on Mullvad's own WireGuard or OpenVPN stack, with infrastructure running RAM-only. There is no traditional account. When you sign up the system generates a 16-digit account number, and that number alone authenticates you against the service. Top up with whatever payment rail you can find: credit card, bank transfer, Bitcoin, Bitcoin Cash, Monero, Swish, or a cash-stuffed envelope mailed to a Gothenburg PO box. The Mullvad apps for Linux, macOS, Windows, Android and iOS are open source on GitHub, as is the dedicated Mullvad Browser the company maintains in collaboration with the Tor Project.

KYC & privacy

Signup asks for nothing. There is no email field, no phone field, no name field; the only credential issued is the account number itself, which the user is told to write down somewhere safe. The advertised no-logs policy covers IP addresses, traffic, DNS lookups and connection timestamps, and it has been stress-tested in the open. In April 2023 Swedish National Police Operations executed a search warrant on the Gothenburg office on behalf of a German investigation; after staff demonstrated that the requested records did not exist, officers consulted the prosecutor and left without seizing anything. A .onion mirror of the account portal is published for users who would rather not touch the clearnet.

Strengths and limits

The audit history is the strongest single argument for the service. Cure53 has reviewed the apps and the infrastructure repeatedly since 2018, most recently in a fourth infrastructure audit completed in June 2024, and Assured Security Consultants ran a separate web-application penetration test in 2025. The pricing model is its own form of privacy hygiene: no annual locks to upsell against, no referral bonuses, no churn metrics that depend on identifying the customer. The ceiling is real, though. This is a centralised commercial VPN with servers Mullvad itself operates, not a mixnet or a peer relay, so a user has to take Sweden's jurisdiction and the operator's posture on faith — well-supported faith, but faith. Speed is solid for general browsing and torrenting; the network is smaller than the largest paid providers and less tuned for the latency-sensitive streaming corner.

Verdict

Mullvad is the rare VPN that does the boring things right for seventeen consecutive years: anonymous accounts, cash payments, recurring third-party audits, public source code, and a real-world raid that produced exactly nothing. It is built for users who treat privacy as default infrastructure, not as a feature to upgrade.