Crypto Wallets' Built-in Privacy Flaws Expose Users to Tracking and De-anonymization
A new study from **KU Leuven** reveals that 85 popular browser-based cryptocurrency wallets, collectively serving 35 million users, inherently leak enough data to link separate addresses, track users across websites, and potentially de-anonymize crypto identities. These privacy vulnerabilities are not bugs but rather a consequence of how these wallets are designed to interact with Web3 sites and blockchain servers.
Researchers at **KU Leuven**'s DistriNet security group have uncovered significant privacy weaknesses in how browser extension-based cryptocurrency wallets operate. Their findings, detailed in a paper to be presented at the **PETS 2026** privacy conference, highlight that these wallets, by their very design, can expose users to tracking and de-anonymization.

The team tested 85 of the most widely used crypto wallet extensions, collectively accounting for approximately 35 million users on the **Chrome Web Store**. They identified five distinct privacy weaknesses stemming from the interaction patterns between wallets and websites.
### Problem 1: Linking Separate Wallet Addresses
Many users intentionally maintain multiple wallet addresses to compartmentalize their financial activities. However, the study found that 17 wallets, covering about 23 million installations, inadvertently link a user's separate addresses. This occurs when wallets bundle multiple addresses into a single request to external servers or make rapid, sequential requests that signal common ownership. This allows server operators, or anyone with access to server data, to consolidate these addresses into a single user profile.
### Problem 2: Ineffective Logout Mechanisms
Even when users disconnect or log out from a Web3 site, access often persists. The researchers noted that 36 of the 85 wallets, representing 82% of the studied installs, announce their presence to any loaded page, creating a unique fingerprint even without a connection or cookies.
Furthermore, out of 30 popular Web3 applications tested, only 11 issued a proper revoke command upon user disconnection. Compounding this, 22 of the 36 wallets ignored these revoke commands, allowing sites to continue reading the user's address even after clearing cookies or restarting the browser. This persistent address acts as a potent, globally unique tracking tag, unlike ephemeral cookies, until manually revoked within the wallet's settings.

### Problem 3: Cross-Site Exposure Through Embedded Frames
The most far-reaching issue identified involves 23 of the 36 vulnerable wallets, which will provide a user's address from within an iframe loaded from another site. If a tracking script, present on both a previously connected crypto app and an unrelated website, loads the crypto app within an invisible iframe, the wallet can hand over the address without user interaction. If the ordinary site already holds personal identifiers like a name or email, this can de-anonymize a pseudonymous crypto profile, linking public transaction history to a real identity.
While the researchers demonstrated the feasibility of this attack vector, they did not assert widespread exploitation currently occurring.
### Industry Response and User Recommendations
For users, the immediate mitigations are partial. Regularly clear old site permissions within your wallet to prevent stale-address tracking. The researchers also provide a [demo](https://wallet-privacy.distriled.dnetcloud.cs.kuleuven.be/) to test your own wallet's behavior. Using throwaway wallets or separate browser profiles for different activities is also advisable.
The researchers responsibly disclosed their findings, particularly the cross-site problem, to affected wallet providers. By February 2026, **Coinbase Wallet** and **Coin98** had implemented fixes, with **Hana Wallet** following suit. However, many vendors, including **MetaMask**, **Rabby**, and **OKX**, largely dismissed the findings, citing them as known issues, duplicates, or not critical enough as they don't involve direct theft of funds.
This study builds upon earlier **2023 research** by **Christof Ferreira Torres** and colleagues, which first highlighted address leaks to external servers. Unlike direct vulnerabilities that facilitate theft, these issues are inherent design flaws that expose user privacy. The researchers emphasize that a systemic fix, including wallets that prevent self-exposure in embedded frames and standardized logout protocols, is necessary, rather than placing the burden solely on users.