TLDR
- Coinspect, a blockchain security company, has revealed the “Ill Bloom” security flaw that impacts cryptocurrency wallets on Bitcoin, Ethereum, Polygon, Tron, Solana, and other networks
- The security issue originates from inadequate random number generation used when creating wallet recovery phrases in specific mobile wallet applications
- Hackers have stolen a minimum of $5 million starting May 27, including a single coordinated attack that drained $3.1 million from 431 compromised wallets
- Wallets created dating back to 2018 may be compromised by this vulnerability
- A free verification tool has been made available by Coinspect for users to determine if their wallet addresses are vulnerable
Coinspect, a prominent blockchain security company, has made public a critical security vulnerability dubbed “Ill Bloom,” which has exposed thousands of cryptocurrency wallets to potential theft.
The security weakness originates from insufficient randomness during the generation of recovery phrases in certain software wallet applications. When wallet creation relies on an inadequately secure random number generator, the resulting seed phrases become more predictable and vulnerable to exploitation by malicious actors.
The vulnerability affects wallets across multiple blockchain networks, including Bitcoin, Ethereum, Polygon, Rootstock, Tron, and Solana.
This security flaw has existed since at least 2018. According to Coinspect, wallets with this vulnerability were still being created as recently as the past few weeks, indicating that even newly created wallets could be compromised.
How the Attacks Unfolded
On May 27, malicious actors targeted 431 wallets from a pool of 2,114 identified as vulnerable, successfully stealing $3.1 million worth of cryptocurrency.
Additional funds were siphoned on Sunday, with approximately $2 million withdrawn from compromised wallets. The confirmed total losses have reached at least $5 million, though Coinspect indicates the actual figure could be significantly higher when considering additional blockchain networks.
To prevent providing attackers with additional information, Coinspect has withheld the complete technical specifications of the exploit.
According to the firm, hardware wallet users remain unaffected by this vulnerability. The majority of well-established software wallets are also considered secure. Users at greatest risk are those who created their seed phrases using obscure or lesser-known mobile software wallet applications.
Past Cases of Weak Wallet Seeds
Ill Bloom is not the first instance of compromised seed generation causing security breaches.
During 2023, Ledger’s security division discovered that Trust Wallet’s browser extension produced seeds with insufficient randomness. This vulnerability reduced the potential phrase combinations to approximately four billion, enabling attackers to crack them in less than 24 hours using several GPUs. Trust Wallet remedied the vulnerability before any cryptocurrency was stolen.
Also during 2023, a security flaw in the Libbitcoin Explorer wallet resulted in $900,000 being stolen through private key brute-force attacks.
Coinspect emphasizes that the Ill Bloom vulnerability is not limited to a single wallet provider, which complicates mitigation efforts.
SlowMist, a security monitoring company, has confirmed it is actively monitoring the situation. Coinspect is calling on wallet providers to incorporate weak mnemonic detection mechanisms into their software platforms.
Users concerned about potential exposure can utilize Coinspect’s wallet verification tool to determine if their address is at risk. If unauthorized fund transfers have occurred, Coinspect suggests the vulnerability may be responsible.


