Researchers have analysed 85 of the most popular Chrome Web Store crypto-wallet extensions — software collectively installed by 35.16 million users — and found that routine wallet operations silently leak structural links between a user's blockchain addresses, potentially exposing them to cross-site tracking and real-world identity deanonymization without any user interaction [S1]. The study, published as an arXiv preprint on 8 July 2026 and associated with the PoPETs 2026 conference [S1][P4], formalises five distinct privacy threats that arise not from bugs or exploits, but from the way wallets are designed to talk to the network and the browser. The question now pressing on the Web3 ecosystem is whether the privacy model millions of users assume they have ever actually existed.
The assumption that breaks
Most crypto users operate on a simple belief: each blockchain address is independent. You use one wallet for a decentralised exchange, another for an NFT purchase, a third for receiving salary — and unless you deliberately link them, nobody can tie them together [S1].
That assumption, the researchers argue, is false for a large share of extension-based wallets. The leaks happen through ordinary, everyday wallet behaviour — not through attacks or malicious code [S1].
Five threats, one architecture problem
The study identifies five privacy threats, all stemming from how browser-extension wallets interact with blockchain networks and the web browser itself [S1]. Three stand out for their everyday impact:
RPC address linkage. Remote procedure calls — the routine requests wallets make to blockchain nodes to check balances or fetch transaction data — leak structural connections between a user's addresses [S1]. Every time a wallet queries the network, it can reveal that two addresses belong to the same person. No prompt, no popup. Just metadata, flowing out.
Revocation that doesn't stick. The majority of Ethereum wallets studied implement permission revocation inconsistently, continuing to expose previously revoked addresses across browsing sessions [S1]. A user who thinks they've disconnected a site from their wallet may still be broadcasting that address to anyone watching.
Cross-origin iframe injection. Many wallets inject their provider interfaces — the code that lets decentralised applications (dApps) communicate with the wallet — into cross-origin iframes [S1]. Iframes are embedded web pages from different domains, and injecting wallet code into them opens a channel for passive cross-site tracking that extends beyond dApps, potentially connecting a user's browsing activity to their on-chain wealth and even to their real-world identity, all without user interaction [S1].
What it means
The core finding flips the mental model. Blockchain was built on the promise of pseudonymity — your address is a string of characters, not your name. But if routine wallet operations link those strings together, and if cross-site tracking connects them to your browsing patterns, the pseudonymity erodes layer by layer [S1].
Think of it this way: each address is like a separate email alias. You believe they're unconnected. But every time your wallet checks a balance, it's quietly CC'ing all your other aliases onto the same message. And the iframe injection means websites you visit — not just crypto platforms — can potentially see which aliases are active in your browser [S1].
The researchers stress that many of these threats can be substantially reduced through better wallet implementation, stronger privacy considerations in ecosystem standards, and stricter controls over how wallets expose their provider interfaces [S1]. In other words, this is largely an engineering problem, not a cryptographic impossibility — but it requires the ecosystem to treat wallet privacy as an architecture-level priority rather than an afterthought [S1].
What it means for business
For small operators in the Web3 space — a two-person DeFi startup, a suburban agency building dApps, a cafe accepting crypto payments — the implications are concrete:
- Wallet selection now carries privacy risk. If your business recommends or integrates a specific browser-extension wallet for customers, you may be implicitly endorsing a tool that leaks address correlations. The study doesn't name specific brands [S1], but the finding that the majority of Ethereum wallets handle revocation inconsistently means due diligence on wallet architecture is now part of vendor selection.
- dApp developers face a trust gap. If users learn that wallet-provider injection into cross-origin iframes enables tracking beyond your application, confidence in the privacy of on-site transactions weakens. Developers who rely on iframe-based wallet integration may need to audit their provider exposure [S1].
- Compliance teams should take note. For Web3 businesses operating under data-protection regimes, wallet-level metadata leaks could complicate obligations around user privacy — particularly if address linkage enables re-identification of individuals.
- No immediate fix is available to end users. The study identifies architectural problems, not user-facing settings. There is no toggle labelled "stop leaking my addresses." The remediation path runs through wallet developers and ecosystem standards bodies [S1].
What we don't know yet
Several critical questions remain open:
- Which specific wallets are affected? The abstract does not name brands, and the terms "majority" and "many" lack exact denominators [S1]. The full paper and its accompanying GitHub repository [P4] may contain wallet-by-wallet breakdowns, but the abstract alone doesn't let a user check whether their installed wallet is vulnerable.
- How many of the 35.16 million users are actually exposed? That figure represents the total user base of the 85 studied wallets, not the number of confirmed affected individuals [S1]. The real exposure depends on which specific wallets exhibit which behaviours, and how widely those wallets are used.
- Is the paper peer-reviewed? It appears on arXiv as a preprint, though the associated GitHub repository labels it for PoPETs 2026 [P4], suggesting conference acceptance. The findings are the authors' own claims until independent verification occurs.
- Have wallet vendors or regulators responded? There is no evidence in the pack of any formal response from wallet developers, standards bodies, or regulators to these findings.
- Do these leaks enable fund theft? The study addresses privacy — the linking and tracking of addresses — not the direct theft of cryptocurrency. The threats are about exposure of identity and activity, not loss of assets [S1].
The next concrete signal to watch: whether the full paper, once publicly available, names specific wallets and triggers vendor patches or standards-body action. Until then, the 35 million users running these extensions are wearing masks they think are opaque — and the research suggests the fabric is thinner than anyone realised.
If this kind of unpacking matters to you, subscribe to keep reading the stories that connect the dots before the headlines do.
Sources
- [S1] Wang et al., "The Masks We (Think We) Wear: Privacy Threats of Browser-Extension Wallets in the Web3 Ecosystem," arXiv preprint, 8 July 2026 — https://arxiv.org/abs/2607.06141v1
- [P2] Full HTML version, arXiv — https://arxiv.org/html/2607.06141
- [P4] Accompanying code repository, GitHub (labelled PoPETs 2026) — https://github.com/podiumdesu/wallet-privacy-threats
Sources
- [S1] The Masks We (Think We) Wear: Privacy Threats of Browser-Extension Wallets in the Web3 Ecosystem — arXiv preprint (cs.CR, q-fin.GN) (attributed)
- [P2] The Masks We (Think We) Wear: Privacy Threats of Browser-Extension Wallets in the Web3 Ecosystem — The Masks We (Think We) Wear: Privacy Threats of Browser-Extension Wallets in the Web3 Ecosystem (attributed)
- [P3] yangjie-cv/WeThink — yangjie-cv/WeThink (attributed)
- [P4] podiumdesu/wallet-privacy-threats — podiumdesu/wallet-privacy-threats (attributed)
- [P5] Privacy Backdoors: Enhancing Membership Inference through Poisoning Pre-trained Models — Privacy Backdoors: Enhancing Membership Inference through Poisoning Pre-trained Models (attributed)
Generated from an audited evidence pack with primary-source research. Social-media items are discussion signals, not verified facts. Nothing here is financial, legal or medical advice.