Find notable cyber news and cases, enriched with sources, timelines, and signals.

KU Leuven DistriNet crypto wallet browser-extension privacy leaks and cross-site tracking

Technical Analysis
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

KU Leuven DistriNet published technical findings on 85 crypto wallet browser extensions that leak enough data to link addresses and track users across sites, creating identity-reconstruction risk for about 35 million listed installs. The study shows that wallet design choices can expose installed-wallet fingerprints, preserve stale permissions, and enable cross-site tracking without any exploit. It also matters because the same leak chain can turn a pseudonymous wallet into a named identity when a site already knows an email or name.

Related Happenings

FakeWallet Apple App Store wallet-stealing apps

Malware Activity
H score8 First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...

FakeWallet crypto wallet phishing campaign targeting users in China

Campaign
H score14 First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...

Latest development: 24.04.2026 14:48

Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.

Torg Grabber browser-extension theft activity

Malware Activity
H score36 First: 25.03.2026 20:32 Last: 25.03.2026 20:32 Sources 1

About this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...

ShieldGuard browser-extension data-harvesting malware

Malware Activity
H score29 First: 18.03.2026 16:15 Last: 18.03.2026 16:15 Sources 1

About this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...

Spiderman phishing kit targeting European banks and crypto services

Malware Activity
H score33 First: 10.12.2025 16:53 Last: 10.12.2025 16:53 Sources 1

About this happening: The **Spiderman** phishing kit is being used against customers of **European banks** and **crypto services**, driving **credential theft** and **account takeover** risk. It clones...

Timeline

  1. 14.07.2026 03:00 1 articles · 14h ago

    Wallet makers respond to disclosure of cross-site tracking weakness

    Mitigation Patch Update

    The researchers disclosed the cross-site tracking weakness to affected wallet makers before publication, and the published responses show mixed outcomes: Coinbase Wallet and Coin98 had already fixed it by a February 2026 retest, Hana Wallet fixed it later, while MetaMask, Rabby, OKX, Bybit, Backpack, and Core mostly treated the finding as known, informational, low-risk, or out of scope.

    Show sources
  2. 07.07.2026 03:00 2 articles · 7d ago

    KU Leuven DistriNet posts browser-wallet privacy findings on arXiv

    Initial Disclosure

    KU Leuven's DistriNet security group posted an arXiv paper on browser-extension crypto wallets that can leak enough information to link separate addresses, fingerprint installed wallets, and enable cross-site tracking of users.

    Show sources