Researchers from KU Leuven have identified significant privacy concerns associated with 85 popular crypto wallet browser extensions. The study highlights how these wallets potentially expose user information, creating tracking risks across different websites and linking separate wallet addresses.
Linking of Wallet Addresses
The research team discovered that the way crypto wallets interact with websites and blockchain servers can inadvertently link an individual’s multiple wallet addresses. This linkage allows external parties to track users across different sites, compromising their anonymity. Out of the tested wallets, 17 were found to expose connections between a user’s distinct addresses, affecting roughly 23 million installations.
Such exposure is facilitated when a wallet transmits multiple addresses in a single request or when requests are sent in rapid succession. These practices enable server operators to compile addresses into unified profiles, posing a significant privacy threat.
Inadequate Logout Procedures
Another critical issue identified is the ineffective logout process employed by many crypto wallets. A total of 36 wallets, representing 82% of the sample, were found to announce their presence to websites, creating a unique fingerprint of installed wallets even without user interaction.
When users disconnect from a site, many wallets fail to terminate access properly. Of the Web3 applications tested, only a third effectively revoked permissions. Additionally, even when sites issued revoke commands, many wallets ignored them, allowing continued access to addresses despite user attempts to log out.
Cross-Site Exposure Risks
The researchers also revealed how previously connected wallets could expose user data on unrelated sites. A shared tracking script running on both a crypto app and an ordinary site can extract wallet addresses through hidden frames. If a site holds personal data, this could lead to the de-anonymization of crypto profiles.
This vulnerability underscores the risk of linking wallet addresses to real identities, potentially endangering user privacy by exposing transactions and balances.
The study emphasizes the need for users to manage site permissions actively and adopt separate wallets for different activities. While some wallet providers have addressed these concerns, the researchers’ findings call for broader industry changes to enhance privacy protections.
The study’s insights, which build upon earlier research, demonstrate that the existing wallet designs inherently expose user information. The findings were presented at the PETS 2026 privacy conference in Calgary, pushing for an ecosystem-wide standard to safeguard user data.
