Full Report
Researchers at KU Leuven tested 85 of the most popular crypto wallets that run as browser extensions and found that the wallets themselves leak enough to link and track the people using them. The way these wallets talk to websites and blockchain servers can tie a person's separate addresses together and let outsiders follow them from site to site. And on a site that already holds a name or
Analysis Summary
# Research: Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks
## Metadata
- **Authors**: Researchers from the DistriNet security group (Specific authors include those listed on the associated arXiv paper 2607.06141)
- **Institution**: KU Leuven
- **Publication**: Privacy Enhancing Technologies Symposium (PETS) 2026
- **Date**: July 14, 2026 (News Review); July 2026 (Conference Presentation)
## Abstract
This research evaluates the privacy posture of 85 popular cryptocurrency wallet browser extensions, representing over 35 million installations. The study identifies systemic privacy weaknesses that allow for the linking of disparate user addresses, deanonymization of users via cross-site tracking, and the persistence of unauthorized access despite user "logout" actions. The findings suggest that the architectural design of Web3 wallets inherently facilitates tracking and identity mapping.
## Research Objective
The study aims to answer how the interaction between browser-based crypto wallets, decentralized applications (dApps), and blockchain backend servers compromises user anonymity and financial privacy.
## Methodology
### Approach
The researchers employed a dynamic analysis approach, running 85 real wallet extensions against 30 popular Web3 applications to observe network traffic, API calls, and state changes.
### Dataset/Environment
- **Wallets**: 85 of the most popular Chrome-based crypto wallet extensions (35 million+ total users).
- **Websites**: 30 high-traffic Web3 applications.
- **Environment**: Controlled browser environments to capture requests between wallets and blockchain nodes.
### Tools & Technologies
- Network interception tools (to map wallet-to-server requests).
- Custom scripts to test wallet "revocation" commands and post-logout accessibility.
- Invisible iFrames for testing cross-site tracking vulnerabilities.
## Key Findings
### Primary Results
1. **Address Linking**: 17 wallets (covering 23 million users) link a user's supposedly separate addresses by bundling them into a single request or firing near-simultaneous requests to the same server.
2. **Persistent Access ("Zombie" Permissions)**: 22 out of 36 tested wallets failed to revoke site access even after a user clicked "Disconnect" or "Logout." This access survived browser restarts.
3. **Cross-Site Tracking**: 23 wallets allow a tracking script on a "clean" site to retrieve the user's wallet address by loading a previously authorized Web3 site in an invisible frame.
4. **Fingerprinting**: 36 wallets broadcast their presence to every website loaded, creating a unique fingerprint even if the user never connects the wallet.
### Supporting Evidence
- **Scale**: The vulnerabilities affect wallets representing approximately 82% of the studied user base.
- **Protocol Failure**: Only 11 of 30 tested Web3 apps actually issued a proper "revoke" command when users logged out.
### Novel Contributions
- Identified the **"Silent Frame" Attack**: Demonstrating how trackers can use iFrames to pull wallet addresses from authorized sites to deanonymize users on unrelated pages.
- Highlighted the **Architecture Paradox**: Proved that current Web3 privacy relies on "security by obfuscation" that is easily bypassed by server-side logging.
## Technical Details
The research details how wallets communicate with RPC (Remote Procedure Call) nodes. When a wallet refreshes balances for multiple accounts, it often optimizes performance by batching requests. If these batches contain multiple public keys, the RPC provider gains a definitive link between those identities. Furthermore, the researchers found that most wallets do not utilize a "sandbox" for permissions—once a site is authorized, it remains in an internal "allow-list" in the extension's local storage, which many wallets fail to clear upon a programmatic "disconnect" request.
## Practical Implications
### For Security Practitioners
- **Identity Correlation**: Wallet addresses should be treated as PII (Personally Identifiable Information) because they can be easily linked to browser fingerprints and real-world identities.
- **Privacy Audit**: Companies using Web3 integrations must verify that their "Logout" functions actually trigger extension-side revocation.
### For Defenders
- **Extension Management**: Users should use "Burner" browser profiles for crypto activities to prevent cross-site tracking on their primary browsing profile.
- **Manual Revocation**: Do not rely on "Disconnect" buttons; manually remove site permissions within the wallet extension’s settings.
### For Researchers
- **RPC Privacy**: There is a need for research into privacy-preserving RPC protocols (e.g., mixnets or zero-knowledge queries) to prevent server-side address linking.
## Limitations
- The study focuses primarily on Chrome-based extensions; behavior might differ in Safari or Firefox (though the underlying logic remains similar).
- The "Silent Frame" attack requires the dApp to allow being embedded in an iFrame (lack of strict X-Frame-Options or CSP).
## Comparison to Prior Work
While previous research focused on blockchain ledger analysis (on-chain privacy), this study shifts the focus to the **Application Layer**, proving that even if the blockchain is private, the interface (the wallet) leaks identity data.
## Real-world Applications
- **Marketing & Tracking**: Malicious or aggressive ad-tech networks can use these leaks to build "financial profiles" of web users.
- **Targeted Attacks**: Attackers can identify "whales" (high-balance users) and link their wealth to their real-world identities for phishing or physical threats.
## Future Work
- Developing standardized protocols for "Hard Logout" that force wallet extensions to clear state.
- Investigating if mobile-based "WalletConnect" protocols exhibit similar address-bundling behaviors.
## References
- [KU Leuven DistriNet Research Group](https://distrinet.cs.kuleuven.be/)
- [https://arxiv.org/abs/2607.06141](https://arxiv.org/abs/2607.06141)