Researchers from KU Leuven have identified significant privacy concerns affecting 85 of the most widely used cryptocurrency wallet browser extensions, revealing that many of these wallets can expose enough information to allow users to be tracked across websites and link multiple wallet addresses belonging to the same individual. According to the study conducted by the university’s DistriNet security group, the extensions collectively account for approximately 35 million users on the Chrome Web Store. The researchers emphasized that these privacy issues are not the result of software vulnerabilities or cyberattacks. Instead, the wallets operate exactly as they were designed, with built in behaviors that unintentionally expose user information. The findings were published in a research paper released this month and are scheduled to be presented at the Privacy Enhancing Technologies Symposium (PETS) 2026 in Calgary later in July. During the research, the team tested real cryptocurrency wallets against active Web3 platforms and identified five major privacy weaknesses that affect the interaction between wallet extensions, websites, and blockchain infrastructure.
One of the primary concerns highlighted in the study involves the ability to connect multiple cryptocurrency addresses belonging to the same user. Many cryptocurrency holders intentionally separate their digital assets across different wallet addresses to improve privacy. However, researchers found that several wallet extensions unintentionally reveal these relationships when communicating with external blockchain servers to retrieve account balances and transaction data. Seventeen wallets were found exposing connections between separate addresses. Thirteen of them transmitted multiple wallet addresses within a single request, while four others sent nearly simultaneous requests that still allowed servers to associate the addresses with one individual. Together, these wallets represent roughly 23 million installations. The study also found that websites can detect which wallet extensions are installed in a user’s browser because many wallets automatically identify themselves to every webpage. This behavior was observed in 36 of the 85 wallets tested, representing about 82 percent of the installations included in the research. Researchers explained that this creates a unique browser fingerprint that remains available even if users never connect a wallet or block browser cookies.
The study also examined how wallet connections are managed after users disconnect from cryptocurrency websites. Researchers discovered that logging out often does not fully remove a website’s access to a user’s wallet address. Among 30 popular Web3 applications tested, only 11 properly sent a command instructing wallets to revoke access after users selected disconnect or logout. The remaining applications simply updated their own interface without removing authorization. Even when proper revocation requests were issued, 22 of the 36 affected wallets continued to provide access to wallet addresses. This permission remained active even after cookies were deleted and browsers were restarted, allowing websites to continue reading wallet addresses until users manually removed site permissions through the wallet’s connected sites settings. Another privacy issue involved cross site tracking. Researchers found that 23 of the same 36 wallets could expose wallet addresses through embedded website frames if a previously authorized crypto application was loaded within another webpage. In this scenario, a shared tracking script operating across multiple websites could retrieve a wallet address without requiring additional user interaction. If that address were associated with personal details such as a user’s name or email address collected elsewhere, anonymous blockchain activity could potentially be connected to a real world identity, revealing transaction history, balances, and digital asset holdings.
The researchers advised users to regularly review and remove permissions granted to websites they no longer use, although they acknowledged this only addresses one of the identified issues. They also recommended separating different cryptocurrency activities across multiple wallets or browser profiles to improve privacy. The broader fixes, however, require changes by wallet developers. Before publishing the research, the team privately disclosed the cross site tracking issue to affected wallet providers. By a follow up evaluation conducted in February 2026, Coinbase Wallet, Coin98, and Hana Wallet had implemented fixes. Other wallet developers responded differently. MetaMask described the behavior as a known issue and indicated that changing it could affect compatibility with many Web3 applications. Rabby argued that the attack scenario required the same malicious script to operate across multiple websites and therefore did not consider it a vulnerability. OKX classified the finding as informational because it did not directly result in stolen funds, while Bybit, Backpack, and Core categorized it as low risk or outside their security programs. The research builds upon earlier work published in 2023 that first identified wallet address leaks to external servers, but expands the analysis by demonstrating how built in wallet behavior can enable cross site tracking and identity exposure without exploiting software flaws. The researchers noted that improving user privacy will require wallet extensions to limit exposure within embedded website frames and establish clearer industry standards for how wallet disconnection and permission revocation should function.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.