Researchers at KU Leuven tested 85 of the most popular crypto wallets that run as browser extensions and found that the wallets themselves leak enough to link and track the people using them.

The way these wallets talk to websites and blockchain servers can tie a person's separate addresses together and let outsiders follow them from site to site. And on a site that already holds a name or email, the same leaks can put a real name to an "anonymous" crypto identity.

This is not a hack. The wallets behave exactly as they were built to. The 85 extensions together have about 35 million users listed on the Chrome Web Store.

The team, from the university's DistriNet security group, posted the paper this month and will present it at the PETS 2026 privacy conference in Calgary in late July.

They ran real wallets against real Web3 sites and mapped out five privacy weaknesses in how wallets and websites interact. When they reported the most far-reaching one to the wallet makers before publishing, most declined to call it a bug at all.

Problem 1: Your separate addresses get linked

Many people keep several wallet addresses on purpose, to keep parts of their financial life apart. That only works if nobody can tell the addresses belong to the same person. But to show your balance, a wallet constantly pings outside servers, and those requests carry your address, in the clear, to whoever runs the server.

When a wallet puts two of your addresses in one request, that server learns they are yours. Seventeen wallets exposed connections between a user's separate addresses. Thirteen did it the obvious way, bundling two addresses into one request. Four more gave themselves away by firing separate requests within milliseconds of each other, a weaker but still useful signal.

Together, those wallets cover about 23 million of the installs studied. Whoever runs the server, or anyone who later gets its data, can stitch the addresses into one profile.

Problem 2: Logging out often doesn't log you out

This problem and the next one share a starting point: a website can tell which wallets you have installed. Each wallet announces itself to any page it loads, so a script can read the exact set you carry, a fingerprint that works even if you never connect a wallet and even if you block cookies.

The researchers found that 36 of the 85 wallets do this, and their users make up about 82% of the installs studied. Those same 36 are the group behind the numbers below.

When you connect a wallet to a site and later disconnect, you assume the site loses access. Often it doesn't, for two separate reasons.

First, many sites never actually tell the wallet to cut off access. Of the 30 popular Web3 apps the team tested, only 11 sent a real revoke command when a user clicked Disconnect or Logout. The rest just cleared their own screen.

Second, even when the command is sent, many wallets ignore it. In 22 of those 36 wallets, the site could still read your address after asking the wallet to revoke it, and that access survived clearing cookies and restarting the browser.

That makes the address a powerful tracking tag. It is globally unique, and unlike a cookie, it does not disappear when you clear your browser. The stale permission sits inside the extension until you open the wallet's "Connected Sites" list and remove the site by hand; until then, a script on the page keeps reading the address in the background.

Problem 3: A wallet you once connected to can expose you on other sites

The last problem reaches the furthest. Of those same 36 wallets, 23 will hand out your address from inside a frame that one page has loaded from another site. On its own, that does nothing. The catch is what a shared tracker can do with it.

Say the same tracking script runs on a crypto app you once connected to and on an ordinary, unrelated website. On the ordinary site, the tracker quietly loads that crypto app inside an invisible frame.

The app's page was already authorized by the wallet, and these wallets answer from inside the frame, so the wallet hands the address back to the script with no click from the user. The app has to allow being embedded for this to work, though plenty of them do.

Link that address to a name or email the site already has on file, and a pseudonymous crypto profile turns into a named person. A wallet address is a public record of its balances, transactions, and token holdings. Tie that to a real identity and a browsing history, and an attacker has a named target whose money is now in view.

The researchers showed this path is real and usable; they did not claim trackers are already running it at scale.

What to do, and how the industry responded

For users, the fixes are only partial. Open your wallet and clear out old site permissions you no longer use. That stops the stale-address tracking from Problem 2, but it does nothing about the address leaks to servers or the installed-wallet fingerprint.

The researchers' demo shows how your own wallet behaves; it runs in your browser and, they say, stores nothing. Use a throwaway wallet to be safe. It also helps to keep different activities on separate wallets or browser profiles. The bigger fixes are out of users' hands.

The researchers focused their disclosure on that cross-site problem and told the affected wallet makers before publishing. By a February 2026 retest, Coinbase Wallet and Coin98 had already fixed it, and Hana Wallet did so later. But of the eight vendors the paper says replied through their bug bounty programs, most declined to treat it as a bug.

MetaMask called it a known issue, closed the report as a duplicate, and said it had no immediate plans to stop injecting its provider because that would break too many apps.

Rabby said the attack would need the same malicious script running on two sites at once, calling that "virtually impossible," and concluded that "the vulnerability does not exist." OKX agreed the finding was technically correct, but closed it as informational because it exposes data without stealing money.

Bybit, Backpack, and Core called it low-risk or out of scope. The full replies are published in the researchers' repository.

The study builds on 2023 research by Christof Ferreira Torres and colleagues, who first showed browser wallets leaking addresses to outside servers. This work catches leaks that earlier tools missed, maps out the cross-site tracking, and shows how the same leak could be used to unmask people.

Where scanners like WalletRadar and WalletProbe hunt for outright bugs, this paper shows that a wallet does not need a bug to expose you. That sets it apart from the fake wallet extensions caught stealing keys last year. There, criminals stole. Here, nothing is stolen, and the leak is built in.

The paper went up on arXiv on July 7 and is set for presentation at PETS 2026 in Calgary, July 20 to 25. For now, the wallets work as designed, and several of their makers have said, in effect, that the design is fine.

The real fix is not another warning to users. It is wallets that stop exposing themselves inside embedded frames, and an ecosystem standard that says what logging out must actually do.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.