Katholieke Universiteit Leuven vzw

07/09/2026 | News release | Distributed by Public on 07/09/2026 03:14

KU Leuven researchers expose hidden privacy risks in crypto wallets

Researchers from DistriNet, KU Leuven's computer security research group, have uncovered hidden privacy risks in popular crypto wallets used as browser extensions. They analysed 85 widely used Chrome wallets, together serving around 35 million users worldwide. Their research shows that some wallets can link crypto addresses to one another, make users recognisable even after they believe they have logged out, and in some cases even connect ordinary browsing activity to someone's crypto assets.

People who use cryptocurrencies often do so through a digital wallet: a kind of keychain that gives them access to their crypto accounts and Web3 applications. These applications allow users, for example, to trade, lend or stake cryptocurrencies on online markets. Many users assume they remain anonymous because a blockchain address looks like a random string of characters rather than a name or email address. But that is precisely where the problem lies.

The researchers show that the software users rely on to sign in to Web3 applications can itself leak information. A wallet may, for example, reveal patterns that link several addresses belonging to the same user. As a result, addresses that were meant to remain separate can still be connected to one person. In the study, 17 wallets showed such signals, together accounting for around 23 million users.

A second issue is that "logging out" or "disconnecting" does not always mean access has truly been revoked. In 22 of the 36 Ethereum-compatible wallets studied, a permission remained active even after a Web3 app requested that it be removed. This means a website or script could recognise a user again later, even after cookies were cleared or the browser was restarted.

The most sensitive risk arises when trackers use this information beyond Web3 sites. In 23 of the 36 Ethereum-compatible wallets studied, hidden pages or embedded frames could request wallet information. This could allow a tracker to link ordinary browsing activity - such as reading the news or shopping online - to crypto addresses. If one of those websites also knows a user's name or email address, a pseudonymous crypto profile can suddenly be linked to a real person.

'Managing your own crypto keys gives users control, but not automatically privacy. Our research shows that the Web3 ecosystem needs safer standards and better default settings, so users do not become recognisable without realising it.'

Weihong Wang from KU Leuven's DistriNet group

The consequences can go beyond online tracking. Because transactions and balances on public blockchains remain visible, a leaked wallet address can reveal a great deal about someone's financial activity. This can make users more vulnerable to targeted phishing, scams, extortion or, in extreme cases, even physical threats.

The researchers handled their findings responsibly and informed the wallet developers involved before publication. In a retest in February 2026, Coinbase Wallet and Coin98 had already resolved the issue studied; Hana Wallet also fixed it later. Other major players, including MetaMask, OKX, Trust Wallet, Rabby Wallet, Binance Wallet and Bybit Wallet, responded through their bug bounty programmes.

What can users do?

Users can reduce their risk by manually removing old permissions in their wallet settings, for example under "Connected Sites" or "Permissions". It also helps not to combine different activities with the same wallet or browser profile each time. Still, the researchers stress that the responsibility should not rest with users alone: wallet developers and Web3 platforms must build privacy more firmly into their designs.

The researchers have also built an interactive demo where users can test whether their own wallet is affected by both tracking risks: the permission that lingers after disconnecting and the address leak through trackers on ordinary sites. It runs entirely in the user's browser and stores nothing.

The demo is available via the interactive wallet test.

More information

The research was conducted by Weihong Wang, Yana Dimova, Victor Vansteenkiste, Tom Van Goethem and Tom Van Cutsem from DistriNet, KU Leuven. The paper, The Masks We (Think We) Wear: Privacy Threats of Browser-Extension Wallets in the Web3 Ecosystem, was accepted for the Proceedings on Privacy Enhancing Technologies and is scheduled for PETS 2026, which will take place from 20 to 25 July 2026 in Calgary, Canada.

The research received partial support from the KU Leuven Research Fund and the Cybersecurity Research Program Flanders.

Katholieke Universiteit Leuven vzw published this content on July 09, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on July 09, 2026 at 09:14 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]