VYPR
breachPublished Jul 10, 2026· 1 source

Attackers Exploit 'Ill Bloom' Vulnerability to Drain $3.1 Million From Cryptocurrency Wallets

A flaw in the random number generation for cryptocurrency wallet recovery phrases, dubbed 'Ill Bloom,' has led to the theft of over $3.1 million from hundreds of wallets.

Security researchers at Coinspect have identified and disclosed a critical vulnerability in certain cryptocurrency wallets, codenamed 'Ill Bloom,' which attackers are actively exploiting to drain user funds. The flaw stems from weak randomness used in the generation of recovery phrases, commonly known as seed phrases. These phrases are the master keys to a user's cryptocurrency assets, and when generated with insufficient entropy, they become susceptible to brute-force attacks.

Coinspect reported a significant coordinated attack on May 27th that successfully drained approximately $3.1 million from 431 distinct wallets. Since this initial sweep, an additional $2 million has been observed moving from other potentially exposed wallets, though it remains unclear how much of this was due to further exploitation versus legitimate user action to secure their funds. The firm warns that if users have recently seen funds move without their authorization, this vulnerability may be the cause.

While the 'Ill Bloom' vulnerability poses a serious threat, it does not affect all cryptocurrency wallets. Coinspect clarified that wallets generated on hardware devices are not impacted, nor are most mainstream software wallets. The primary risk lies with older or less common mobile wallet applications, some of which may date back to 2018. The specific wallet applications involved have not been publicly named, leaving users to verify their own exposure.

The technical root of the problem lies in the random number generator (RNG) employed by the affected wallet software. A secure recovery phrase is derived from a vast pool of possible combinations, making it computationally infeasible to guess. However, wallets affected by 'Ill Bloom' used an RNG that produced predictable sequences, drastically shrinking the number of possible phrases an attacker would need to test. Coinspect was able to reconstruct the attack by generating all possible phrases from the weak RNG, deriving the corresponding wallet addresses, and then scanning the blockchain for those still holding funds.

As of June 30th, Coinspect had identified 2,114 exposed addresses across multiple blockchains, including Bitcoin, Ethereum, Rootstock, Tron, and Polygon. The May 27th incident alone saw Bitcoin wallets lose approximately $2.57 million, with one single Bitcoin address being drained of over $1.1 million. The coordinated nature of this theft was evident as hundreds of unrelated wallets transferred their balances to the same few collection addresses within a short timeframe.

To help users identify if their wallets are at risk, Coinspect has launched a free online checker at illbloom.org. This tool can compare a public wallet address against Coinspect's list of known vulnerable wallets across Bitcoin, Tron, Solana, and Ethereum-compatible chains. A positive match serves as a clear warning that the recovery phrase is compromised, even if funds have not yet been moved. Users are advised to check all addresses associated with the same seed phrase, as a single weak phrase can compromise funds across multiple blockchains.

If a wallet is found to be vulnerable, the recommended course of action is to immediately create a completely new wallet with a fresh, securely generated recovery phrase. Users should then transfer all their assets from the compromised wallet to the new one. It is crucial to understand that simply reinstalling the old wallet application or importing the same compromised phrase elsewhere does not resolve the issue. Furthermore, users should be wary of phishing scams offering to 'rescue' their funds, as legitimate security tools will never ask for private keys, seed phrases, or require fund transfers for recovery.

This vulnerability is not an isolated incident; it represents a recurring pattern of security failures in cryptocurrency wallet development. Similar issues, such as the 'Milk Sad' vulnerability in 2023 (CVE-2023-39910) and flaws in Trust Wallet (CVE-2023-31290), have also exploited weak randomness in seed phrase generation, leading to significant financial losses. The 'Randstorm' flaw in 2023 also highlighted how predictable random number generation in older Bitcoin wallets could be exploited. The consistent lesson across these incidents is that the only reliable fix for a compromised seed phrase is to migrate funds to a new, securely generated wallet.

Synthesized by Vypr AI