Key Takeaways
- Coinspect, a blockchain security company, has identified a critical weakness named “Ill Bloom” that compromises cryptocurrency wallets on Bitcoin, Ethereum, Polygon, Tron, Solana, and additional networks
- This security issue originates from inadequate random number generation processes when creating wallet recovery phrases in specific mobile wallet applications
- Thieves have successfully stolen a minimum of $5 million starting May 27, including one coordinated assault that emptied 431 wallets totaling $3.1 million
- The vulnerability extends to wallets created as early as 2018
- A complimentary checking tool has been made available by Coinspect for users to verify their wallet’s vulnerability status
Coinspect, a prominent blockchain security company, has made public a significant security weakness dubbed “Ill Bloom,” which has exposed thousands of cryptocurrency wallets to potential theft.
The security gap stems from insufficient randomness during the generation of recovery phrases in certain software wallet applications. When wallet software employs weak random number generation algorithms during the wallet creation process, it creates predictable seed phrases that become vulnerable to exploitation by malicious actors.
Affected networks span multiple blockchains including Bitcoin, Ethereum, Polygon, Rootstock, Tron, and Solana.
This security flaw has existed since 2018 at minimum. According to Coinspect’s findings, vulnerable wallets continued to be generated through recent weeks, placing even recently onboarded users in potential danger.
Timeline of the Exploit Attacks
Cybercriminals executed a major assault on May 27, targeting 431 out of 2,114 identified compromised wallets and making off with $3.1 million worth of digital assets.
Another wave of thefts occurred over the weekend, draining approximately $2 million from vulnerable addresses. Current confirmed losses total at least $5 million, though Coinspect indicates actual losses may be substantially higher when accounting for all affected blockchain networks.
To prevent further exploitation, Coinspect has deliberately withheld complete technical documentation of the vulnerability.
According to the security firm, hardware wallet owners remain unaffected by this issue. Major established software wallet providers are also considered safe. The primary risk group consists of individuals who created their seed phrases using obscure or lesser-known mobile wallet software.
Historical Precedents of Seed Generation Weaknesses
The cryptocurrency industry has encountered similar seed generation vulnerabilities before.
During 2023, security researchers at Ledger discovered that Trust Wallet’s browser-based extension produced seeds with insufficient randomness. This flaw reduced potential phrase combinations to approximately four billion possibilities, making them vulnerable to brute-force attacks using standard GPU hardware within 24 hours. Trust Wallet remediated the vulnerability before any user funds were compromised.
In another 2023 incident, a weakness in the Libbitcoin Explorer wallet software resulted in $900,000 being stolen through systematic private key guessing attacks.
Unlike previous incidents, Coinspect emphasizes that the Ill Bloom vulnerability isn’t isolated to a single wallet provider, which complicates mitigation efforts.
SlowMist, a blockchain security monitoring service, has verified it is actively monitoring the developing situation. Coinspect is advocating for wallet developers to incorporate weak mnemonic detection capabilities directly into their applications.
Concerned users can access Coinspect’s dedicated verification tool to determine whether their wallet addresses are at risk. Any unauthorized fund movements from affected wallets may indicate exploitation through this vulnerability.





