Crypto Wallets Are Leaking Identity Data By Design, Researchers Say
A study of 85 browser-based wallets reveals systemic privacy flaws that allow for cross-site tracking and the de-anonymization of users.
Security researchers from the DistriNet group at KU Leuven have uncovered significant privacy shortcomings within the architecture of 85 popular browser-based cryptocurrency wallets. Rather than traditional software vulnerabilities, these issues are rooted in the fundamental design of how wallets communicate with websites, effectively enabling third-party entities to track individuals across the internet and potentially link pseudonymous wallet addresses to real-world identities.
The Mechanics of Passive Tracking
The research demonstrates that wallets often act as a beacon for tracking scripts. Because many extensions automatically announce their presence to any page a user visits, a website can easily generate a unique fingerprint of a user’s installed wallet suite, regardless of whether a connection has been established. This baseline visibility is compounded by a lack of rigorous session management; many Web3 applications fail to issue proper revocation commands, and even when they do, a significant number of wallets ignore these requests, leaving a persistent identifier exposed to any script running on the page.
Perhaps most concerning is the capacity for cross-site tracking via invisible frames. If a user connects a wallet to a site, that wallet may inadvertently answer requests from within embedded frames on other, unrelated websites. By leveraging shared tracking scripts, a third party can correlate these address leaks with known data points, such as an email address, effectively unmasking a user's financial activity.
Quantifying the Privacy Exposure
- 35 million users are represented by the 85 extensions evaluated in the study.
- 17 wallets were found to leak information that directly links a user's separate financial addresses.
- 36 of the 85 wallets, representing 82% of the installs, actively expose a signature of their presence to every webpage a user visits.
- 22 of those 36 wallets fail to properly revoke access even after a user explicitly clicks disconnect.
Industry Response to Design Flaws
When researchers approached vendors to disclose these findings, the reception was largely dismissive. Many developers categorized the behavior as intentional or argued that the threat model was unrealistic. The lack of consensus on what constitutes a privacy vulnerability in this space highlights a significant gap in current Web3 security standards.
MetaMask called it a known issue, closed the report as a duplicate, and said it had no immediate plans to stop injecting its provider because that would break too many apps.
— MetaMask, regarding findings published by researchers at KU Leuven.
Implications for Digital Anonymity
For the average user, these findings underscore that standard privacy hygiene—such as clearing cookies or disconnecting sites—is insufficient to block these systemic leaks. The research, which builds on 2023 research into wallet-to-server data exposure, highlights a critical reality: the current ecosystem prioritizes feature functionality over user anonymity. Until developers shift toward stricter iframe isolation and standardized revocation protocols, users remain vulnerable to having their cryptocurrency holdings and browsing histories linked to their personal identities through no fault of their own.