Rabby Wallet Faces Privacy Backlash Over Pre-Password Tracking Claims

Rabby Wallet is facing new privacy criticism after Sebastian C. Bürgel, VP Technology at Gnosis and founder of HOPR, posted browser logs that appeared to show the wallet sending onboarding data before a user had finished setting up a password.

The logs pointed to traffic involving matomo.rabby.io, Google Analytics and Sentry.io during the wallet’s early onboarding flow. Bürgel argued that the behavior conflicted with Rabby’s own privacy commitments and raised transparency concerns under EU data protection rules.

The claim is especially sensitive because wallets are not ordinary browser tools. A crypto wallet can reveal patterns around dApp usage, network activity, device state, onboarding behavior and potentially user habits around self-custody. Even when private keys or seed phrases are not transmitted, metadata can still matter because crypto users often treat wallet software as part of their security perimeter.

Rabby is one of the better-known Ethereum and EVM wallet extensions, with its Chrome Web Store listing showing around 800,000 users. The extension is marketed around DeFi usability, transaction simulation and pre-signing risk checks, making the privacy complaint more damaging than it would be for a normal analytics-heavy consumer app.

Transparency Becomes The Main Issue

The controversy centers less on whether analytics tools can ever be used and more on when tracking begins, what data is collected, which third parties receive it and whether users are given a clear choice before any transfer occurs.

Rabby’s privacy policy discloses broad device-data collection, including IP address or proxy server, device and application identifiers, location, browser type, hardware model, operating system and system configuration information. It also allows disclosure to third-party service providers in the U.S. or other countries that help provide services or facilitate the website.

The disputed providers are not named directly in the policy text. That gap is where the criticism is focused. A wallet user may accept security telemetry or crash reporting after disclosure, but sending data to analytics and error-monitoring services before a password is created creates a different trust problem, especially for European users who expect clear consent and transparent data-transfer language.

The Chrome Web Store privacy section also lists “User activity” under data handled by the Rabby extension. For privacy-focused users, that category can feel broad unless the wallet clearly explains what is tracked, when it starts, how long it is retained and whether identifiers can be linked across sessions.

Wallet Privacy Is Bigger Than Seed Phrases

The Rabby debate lands at a moment when crypto wallet security is already expanding beyond the classic warning to protect seed phrases. Wallet users now have to think about approvals, browser extensions, malicious pop-ups, fake support links, malware, RPC leaks, analytics tools and device-level metadata.

Recent wallet-security concerns have already pushed users to clean up old token permissions after Claude Mythos rumors triggered approval-revocation warnings. Separate malware campaigns have also targeted wallet holders through fake crypto job interviews, showing how quickly browser data, session tokens and local wallet files can become part of the attack surface.

Privacy is part of the same risk model. A wallet can be technically non-custodial and still leak sensitive behavioral data if telemetry is too broad, poorly disclosed or routed through third-party infrastructure. For DeFi users, that can include when a wallet is installed, which onboarding screens are reached, what device environment is used and how a user interacts with connected services.

WalletBeat’s Rabby profile already placed the wallet in a low privacy tier, describing its privacy level as minimal. The latest browser-log complaint gives that criticism a sharper public example and puts pressure on Rabby to clarify its telemetry settings, provider list and consent flow.

Rabby Faces Trust Test

Rabby had not issued a visible public response to Bürgel’s claims at the time of writing. A clear response would likely need to answer several practical questions: whether the logs reflect production behavior, what events were sent, whether any identifiers were included, whether IP addresses were processed by third parties, how consent is handled for EU users and whether users can fully disable analytics before setup.

The episode also gives users a simple checklist. Privacy-sensitive wallet users should review extension permissions, compare wallet privacy policies, separate high-value accounts from daily dApp wallets, consider hardware-wallet signing for larger balances and avoid treating any browser wallet as private by default.