alt Hacker NewsRight, agreed that VPN is the primary mitigation against this from a user perspective. But opsec is hard, especially when the attack can be triggered by a notification when the victim might not be expecting it and might not have VPN enabled (e.g. maybe they only enable VPN when using Discord).
(But notifications are already a bad idea for opsec anyway.)
>But opsec is hard [...]
That's why the attack is contrived. If you have poor opsec you don't need need this attack at all. You can probably get the victim's exact IP by getting him to click on a link, or sending him an email. If he has good opsec he's going to be using a VPN that renders this attack useless. For this attack to be valuable you need a guy who has such good opsec that you can't get his location any other way, but for whatever reason isn't using an always-online VPN.