Blockchain security firm Coinspect has disclosed a critical vulnerability named “Ill Bloom” that has placed thousands of cryptocurrency wallets at risk of being drained. The flaw stems from weak randomness in the generation of recovery phrases by certain mobile software wallets. As a result, seed phrases can be predicted or brute-forced, exposing private keys and allowing attackers to steal funds.
The vulnerability affects wallets on multiple major blockchains including Bitcoin, Ethereum, Polygon, Rootstock, Tron, and Solana. Coinspect reports that wallets generated as far back as 2018 are potentially vulnerable, and that compromised wallets were still being created in recent weeks, indicating the issue is not confined to a single application. Hardware wallet users and most mainstream software wallets are believed to be safe; the highest risk applies to those who generated seed phrases using lesser-known mobile software wallets.
The first documented attack occurred on May 27, when 431 wallets out of 2,114 identified as vulnerable were drained of $3.1 million. Additional transfers on the following Sunday moved roughly $2 million, bringing the known total stolen to at least $5 million. Coinspect cautions that the actual figure could be higher across other networks not yet analyzed. The firm has deliberately withheld full technical details to prevent further exploitation.
Security monitoring platform SlowMist confirmed it is tracking the situation and urged users to check historical wallet addresses. Coinspect has released a free tool that lets individuals test whether their address is exposed and recommends moving any remaining funds to a newly created wallet using trusted software or a hardware device. The incident recalls past cases of weak seed generation, such as the 2023 Trust Wallet browser extension flaw and the $900,000 Libbitcoin Explorer hack, underscoring the persistent risk in wallet security.