Skip to content

85 crypto wallet extensions put 29 million users at tracking risk, study finds

Study Exposes Severe Leaks and Tracking Risks in 85 Crypto Wallet Extensions
Share this article

Popular cryptocurrency wallet extensions can expose users to address clustering, cross-site tracking and possible real-world identification, according to a KU Leuven study of 85 Chrome extensions representing 35.16 million Chrome Web Store users.

The research found that routine wallet activity can reveal links between addresses users may believe are separate, while inconsistent permission controls can continue exposing previously shared addresses after a user disconnects from a decentralized application.

The study, titled The Masks We (Think We) Wear, identified 5 privacy threats spanning wallet network traffic and browser interactions, showing that exposure can arise during ordinary use without attackers stealing private keys, breaking encryption or manipulating wallet functions.

The paper was published as an arXiv preprint and examined extensions with more than 10,000 users as of November 2025, providing a wide-ranging assessment of privacy risks across the browser-wallet ecosystem.

Routine requests can link separate addresses

Browser-extension wallets regularly send remote procedure call requests to retrieve balances, transaction histories, token data and other blockchain information.

Those requests may contain public wallet addresses and are visible to the external services receiving them, including wallet-operated backends, node providers and other infrastructure companies. When several addresses appear in one request, or requests for different addresses arrive within a short period, the recipient may infer that they belong to the same wallet instance.

Of the 85 wallets studied, 57 produced analyzable address-bearing traffic, while 17 exposed linkability signals that could affect about 23 million users, or 65.4 percent of the study’s user base.

85 crypto wallet extensions put 29 million users at tracking risk, study finds

That matters because blockchain addresses act as persistent public identifiers. Once multiple addresses are connected, an outside party can combine their transaction histories, token holdings and smart-contract activity to build a broader picture of a user’s behavior and wealth.

Wallet detection creates a new fingerprint

The researchers also found that websites may be able to detect combinations of installed wallets without the user connecting one or approving a request.

36 of the 85 extensions exposed an Ethereum-compatible provider that could be discovered through EIP-6963, a standard designed to help websites identify multiple installed wallets. Although those extensions represented 42.4 percent of the sample, they covered 29.08 million users, or about 82 percent of the total.

The study warned that a person’s combination of installed wallets could become a stable browser fingerprint, including for users who block cookies, clear browser storage or have never connected a wallet to the site.

Disconnecting may not end access

Permission revocation emerged as another major weakness.

Among the 36 detectable Ethereum-compatible wallets, 22 failed to remove access correctly after a decentralized application issued a revocation request. Those wallets continued returning previously authorized addresses in later sessions, sometimes even while locked.

85 crypto wallet extensions put 29 million users at tracking risk, study finds

A stale address can become a durable identifier, allowing embedded tracking scripts to recognize a returning user, connect activity across sessions and group additional addresses under the same profile.

85 crypto wallet extensions put 29 million users at tracking risk, study finds

The researchers also tested 30 popular Ethereum applications and found that only 11 issued a wallet revocation request when users clicked disconnect or logout. 27 stored connected addresses in cookies or local storage, while 17 of those failed to remove the data during logout.

Third-party tracking was also widespread, with 19 of the 30 applications contacting at least one analytics or telemetry service and 14 reaching three or more.

Iframe exposure pushes tracking beyond dApps

The most far-reaching risk involved cross-origin iframes, which allow 1 website to embed another page.

23 of the 36 detectable wallets exposed their provider interface inside such frames, covering an estimated 27.76 million users, while 14 continued exposing addresses even when locked. Separately, 18 of the 30 decentralized applications tested could be embedded inside an iframe.

A tracker could therefore place an invisible version of a previously authorized application inside an unrelated website and attempt to retrieve the user’s wallet address. That information could then be combined with browsing activity, shopping behavior, searches or personal details displayed on the site.

In some cases, the process could connect a pseudonymous blockchain identity and its visible holdings to a person’s email address, profile name or other real-world information.

Web3 privacy needs stronger standards

The researchers said wallet developers should stop batching several addresses into single requests, reduce timing-based correlation and limit wallet discovery until users unlock their extensions.

They also called for standardized permission revocation, automatic expiry of old permissions and tighter restrictions on repeated address queries. Wallet providers should be exposed only to top-level, same-origin pages, while decentralized applications should prevent unauthorized iframe embedding.

The findings suggest Web3 privacy depends on more than protecting private keys. Without stronger wallet standards and tighter controls, public addresses intended to function as separate pseudonyms can instead become links connecting a user’s finances, browsing habits and identity.

About The Coin Headlines

The Coin Headlines strives to bring trust into crypto media. At a time when every soundbite and headline can move the markets from red to green and vice-versa, The Coin Headlines promises to bring verified, credible and timely news and analysis from the world of crypto, blockchain, Web3, tech and markets. Founded in 2026, The Coin Headlines is based in the UAE with a team of experienced journalists and editors covering breaking news and updates from around the world.

From covering the biggest events to interviewing some of the most popular KOLs in the industry, The Coin Headlines keeps you informed of the latest trends and insights.

At The Coin Headlines our focus is clear: Real-time news updates, market movements, whale transfers, macroeconomic trends, tech and AI and geopolitical breaking news. The news we report goes through a strict editorial audit before its published to ensure the readers only get verified and credible information. We realize the world of crypto is dynamic, volatile, and many times, confusing. At The Coin Headlines we break down these complex issues into simple articles which cater to not just the experienced trader but also the student and first-time investor who wants to understand the space before committing to it.