Coinspect Identifies Ill Bloom Wallet Vulnerability Draining Over $5 Million Across Multiple Chains
The flaw, dubbed Ill Bloom, allows attackers to recover and drain funds from thousands of accounts by exploiting a non‑cryptographically secure pseudorandom number generator (PRNG) that seeds the mnemonic used to create a wallet’s private key. Coinspect’s analysis shows that wallets created as early as 2018 are affected, with the problem most common in lesser‑known mobile software wallets. Hardware wallets and the majority of mainstream software wallets appear to be immune.
Since the first reported exploit on May 27, 431 vulnerable addresses have been drained for $3.1 million, and an additional $2 million was moved from exposed wallets on Sunday. The numbers underscore how quickly a single weakness can translate into a multi‑chain loss.
Coinspect has released a public wallet‑checking tool that lets users scan their addresses for exposure. The company is not publishing the exact exploit code at this time but is monitoring the situation closely. SlowMist, a security firm that tracks wallet‑related incidents, posted on X that it is “closely monitoring the Ill Bloom wallet weak randomness risk alert from Coinspect.” Their monitoring suggests that the attack may continue to target additional networks and addresses.
The Ill Bloom issue is not the first time weak randomness has compromised wallet security. In 2023, Ledger’s security team uncovered that the Trust Wallet browser extension generated seeds with limited entropy, reducing the possible mnemonic space to roughly four billion combinations. Trust Wallet patched the bug before any theft occurred. That same year, a flaw in the Libbitcoin Explorer wallet enabled attackers to brute‑force private keys, resulting in $900,000 in stolen crypto. These incidents illustrate how insufficient entropy in seed generation can shrink the search space for attackers and make brute‑force attacks feasible.
At present, Coinspect has not announced a patch for the affected wallets, and no official response has been issued by the wallet developers. Users who suspect they may have generated a seed with a vulnerable wallet are advised to use the Coinspect tool to check their addresses and consider moving funds to a hardware wallet or a software wallet that employs a proven CSPRNG. The broader industry will likely review seed‑generation practices in light of this incident.
In summary, the Ill Bloom vulnerability has exposed thousands of wallets across several major blockchains to theft, with over $5 million already lost. Coinspect’s disclosure and the public‑available checking tool provide a path for users to assess risk, while the industry continues to monitor the situation for further developments or patches.