KU Leuven's DistriNet research group tested 85 Chrome Web Store wallet extensions for privacy leaks, in a paper — 'The Masks We (Think We) Wear' — accepted to the PETS 2026 symposium in Calgary. These are real, specific, reproducible findings, not the usual vague 'crypto is risky' warning.

85

Extensions tested

Chrome Web Store wallets

17 wallets

Leaked address linkability

connected a user's separate addresses

22 of 36

Kept access after "revoke"

survived cookie clearing and browser restart

23 of 36

Leaked via hidden frames

readable from a page loaded inside another site

The three actual failure modes

Address linkability connects a user's separate wallet addresses to one identity, undermining the basic pseudonymity crypto addresses are supposed to offer. Permission persistence means revoking a site's access inside your wallet's own UI doesn't always actually revoke it — the access can survive clearing cookies and restarting the browser entirely. Hidden-frame leaks are the most dangerous: a site you never directly visited can read your wallet address by loading it inside a frame from a site you did visit — which can link a pseudonymous crypto address to a real identity if any site you've used has your name or email on file.

Who fixed it, who didn't

Eight wallets responded through bug bounty programs: Coinbase Wallet, OKX, Trust, Rabby, Backpack, Bybit, Zerion, and Core. Coinbase Wallet and Coin98 patched quickly; Hana Wallet patched later. MetaMask called it a known issue and said it has no immediate plans to change its approach, because doing so "would break too many apps" — a real engineering tradeoff, not negligence, but one worth knowing if MetaMask is your daily wallet.

What this actually changes for your setup

  • This isn't a reason to panic-switch wallets — it's a reason to treat wallet-website connections like any other persistent login, not a one-time approval you can forget about.
  • Periodically audit connected sites inside your wallet's own settings, not just the website's disconnect button — on wallets that haven't patched this, the website-side revoke isn't guaranteed to be complete.
  • The hidden-frame leak specifically matters if your daily browser profile mixes a site that knows your real identity with active wallet use — a separate browser profile dedicated to crypto closes that exact gap regardless of which wallet you run.

This is exactly the kind of gap that habit-level hygiene — hot/cold wallet separation, periodic permission audits — protects against even when the extension itself hasn't caught up yet.