KU Leuven DistriNet crypto wallet browser-extension privacy leaks and cross-site tracking
Technical Analysis
Summary
Hide ▲
Show ▼
KU Leuven DistriNet published technical findings on 85 crypto wallet browser extensions that leak enough data to link addresses and track users across sites, creating identity-reconstruction risk for about 35 million listed installs. The study shows that wallet design choices can expose installed-wallet fingerprints, preserve stale permissions, and enable cross-site tracking without any exploit. It also matters because the same leak chain can turn a pseudonymous wallet into a named identity when a site already knows an email or name.
Related Happenings
FakeWallet Apple App Store wallet-stealing apps
Malware Activity
H score8
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
FakeWallet Apple App Store wallet-stealing apps
Malware ActivityAbout this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
FakeWallet crypto wallet phishing campaign targeting users in China
Campaign
H score14
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
FakeWallet crypto wallet phishing campaign targeting users in China
CampaignAbout this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
Latest development: 24.04.2026 14:48
Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.
Torg Grabber browser-extension theft activity
Malware Activity
H score36
First: 25.03.2026 20:32
Last: 25.03.2026 20:32
Sources 1
About this happening:
The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Torg Grabber browser-extension theft activity
Malware ActivityAbout this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
ShieldGuard browser-extension data-harvesting malware
Malware Activity
H score29
First: 18.03.2026 16:15
Last: 18.03.2026 16:15
Sources 1
About this happening:
A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...
ShieldGuard browser-extension data-harvesting malware
Malware ActivityAbout this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...
Spiderman phishing kit targeting European banks and crypto services
Malware Activity
H score33
First: 10.12.2025 16:53
Last: 10.12.2025 16:53
Sources 1
About this happening:
The **Spiderman** phishing kit is being used against customers of **European banks** and **crypto services**, driving **credential theft** and **account takeover** risk. It clones...
Spiderman phishing kit targeting European banks and crypto services
Malware ActivityAbout this happening: The **Spiderman** phishing kit is being used against customers of **European banks** and **crypto services**, driving **credential theft** and **account takeover** risk. It clones...
Timeline
-
14.07.2026 03:00 1 articles · 14h ago
Wallet makers respond to disclosure of cross-site tracking weakness
Mitigation Patch UpdateThe researchers disclosed the cross-site tracking weakness to affected wallet makers before publication, and the published responses show mixed outcomes: Coinbase Wallet and Coin98 had already fixed it by a February 2026 retest, Hana Wallet fixed it later, while MetaMask, Rabby, OKX, Bybit, Backpack, and Core mostly treated the finding as known, informational, low-risk, or out of scope.
Show sources
- Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks — thehackernews.com — 14.07.2026 14:55
-
07.07.2026 03:00 2 articles · 7d ago
KU Leuven DistriNet posts browser-wallet privacy findings on arXiv
Initial DisclosureKU Leuven's DistriNet security group posted an arXiv paper on browser-extension crypto wallets that can leak enough information to link separate addresses, fingerprint installed wallets, and enable cross-site tracking of users.
Show sources
- Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks — thehackernews.com — 14.07.2026 14:55
- Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks — thehackernews.com — 14.07.2026 14:55