There are hidden privacy risks in crypto wallets that run as browser extensions. Researchers from DistriNet, KU Leuven’s security group, discovered the vulnerabilities. They examined 85 popular Chrome wallets, which collectively serve about 35 million users. The software itself appears to leak sensitive information.
A blockchain address consists of a random string of characters, thereby keeping users anonymous. But according to the study, the software people use to log in to Web3 applications is itself leaking information. In 17 of the wallets examined—representing approximately 23 million users—different addresses belonging to the same person could be linked together.
The researchers did not find a one-time leak or a hacked extension, but rather systemic design flaws, as the blog of KU Leuven explains. The study is titled ‘The Masks We (Think We) Wear‘ and has been accepted for the PETS 2026 symposium, which will take place in Calgary, Canada, at the end of July. Privacy technology is the main topic at this conference.
Logging out doesn’t always work
A second problem concerns something users take for granted: logging out. This does not always mean that access is actually revoked. In 22 of the 36 Ethereum-compatible wallets tested, previously granted permission remained in effect, even after clearing cookies or restarting the browser.
In addition, for 23 of those 36 wallets, the researchers were able to retrieve wallet information from hidden pages or windows. This links ordinary browsing activity to crypto addresses. If a website also has a name or email address on file, a pseudonymous crypto profile can be linked to a real person.
To mitigate risks, the researchers recommend removing old permissions from wallet settings. The researchers notified the affected wallet developers of the privacy leaks, and the developers are taking action to resolve the issues or have already done so. The affected developers are Coinbase Wallet, Coin98, Hana Wallet, MetaMask, OKX, Trust Wallet, Rabby Wallet, Binance Wallet, and Bybit Wallet.
Beyond Tracking
The consequences extend beyond online tracking, the researchers warn. A leaked wallet address can expose financial activity and make users more vulnerable to phishing, scams, and extortion. The DistriNet study shows that even legitimate, uncompromised wallets reveal privacy-sensitive data.
The researchers recommend that users manually remove old permissions in their wallet settings. At the ecosystem level, they advocate for consistent revocation of permissions and reduced exposure of the provider interface to external iframes.
See also: Coinbase Hack Highlights Crypto Industry’s Vulnerability