VYPR
researchPublished Jul 14, 2026· 1 source

Crypto Wallet Extensions Leak User Data, Enabling Cross-Site Tracking and Identity Linking

A study of 85 popular crypto wallet browser extensions has revealed significant privacy vulnerabilities, allowing for the linking of separate user addresses and cross-site tracking.

Researchers from KU Leuven's DistriNet security group have uncovered critical privacy weaknesses in 85 widely-used crypto wallet browser extensions, collectively installed by approximately 35 million users according to Chrome Web Store data. The study, set to be presented at the PETS 2026 privacy conference, found that these wallets, while functioning as designed, leak information that can tie together a user's distinct cryptocurrency addresses and enable tracking across different websites. This capability can potentially de-anonymize users by linking their pseudonymous wallet addresses to real-world identities when combined with data already held by websites.

One primary vulnerability identified is the leakage of address information during routine interactions with blockchain servers. When a wallet sends requests that include multiple addresses belonging to the same user, the server operator can infer that these addresses are linked. The research identified 17 wallets exhibiting this behavior, with 13 directly bundling addresses in a single request and four using rapid, sequential requests as a less obvious indicator. This allows for the creation of a consolidated profile of a user's financial activities across these linked addresses.

Another significant issue relates to the persistence of wallet connections. Even after a user disconnects a wallet from a website, the site may retain the ability to access the user's address. This occurs because many websites fail to send a proper revocation command, and many wallets do not fully sever the connection even when instructed. In 36 of the studied wallets, a script on a previously connected site could still read the user's address, even after clearing cookies or restarting the browser. This persistent access turns the wallet address into a durable tracking tag, unlike ephemeral cookies.

The most far-reaching privacy concern involves cross-site tracking facilitated by wallet extensions. Of the 36 wallets that exhibit persistent connection issues, 23 can leak a user's address even when embedded within an iframe loaded from a different domain. This means a tracking script operating on an ordinary website could leverage a previously established connection to a crypto application to silently retrieve the user's wallet address. If this address is then linked to personal information already known by the tracker, a user's pseudonymous crypto identity can be directly tied to their real-world identity and browsing history.

The implications of this research are substantial for the cryptocurrency ecosystem, where user anonymity and privacy are often considered paramount. The ability to link disparate addresses and track users across the web undermines the perceived privacy of cryptocurrency transactions. Furthermore, the potential to de-anonymize users by connecting wallet activity to personal data creates significant risks for targeted attacks, financial exploitation, and reputational damage.

In response to the findings, researchers disclosed the most critical cross-site tracking vulnerability to affected wallet vendors prior to publication. By February 2026, Coinbase Wallet and Coin98 had implemented fixes. However, many vendors, including MetaMask and Rabby, did not classify the issue as a bug, citing functional requirements or the perceived difficulty of exploitation. MetaMask, for instance, stated that disabling the provider functionality would break too many applications, while Rabby dismissed the risk as "virtually impossible."

For users, mitigation strategies include regularly reviewing and revoking connected site permissions within their wallet settings to prevent stale address tracking. Employing separate wallets or browser profiles for different activities can also enhance privacy. However, the fundamental architectural issues identified by the researchers highlight the need for broader industry-wide changes to address these privacy leaks effectively.

The study underscores a growing tension between the usability and functionality of crypto wallet extensions and the privacy expectations of their users. As the Web3 ecosystem matures, addressing these inherent privacy weaknesses in wallet infrastructure will be crucial for fostering trust and security among its rapidly expanding user base.

Synthesized by Vypr AI