Ethical Hacking News
The cryptocurrency wallet flaw known as "Ill Bloom" has exposed millions in funds drained from vulnerable wallets. Here's a detailed look at this vulnerability and how it can be prevented.
The "Ill Bloom" vulnerability is a new crypto wallet flaw that attackers are exploiting to drain millions from vulnerable wallets. A weakness in how some wallet software generated its recovery phrase has left many users scrambling to protect their assets. Older or lesser-known mobile wallets, particularly those with weak random-number generators, are at risk of being compromised. The vulnerability can be exploited by an attacker who knows the recovery phrase and uses it to take control of the wallet. Coinpect has identified 2,114 exposed addresses across multiple blockchain platforms that were born with this weakness. Users can protect themselves by using a free checker at illbloom.org and moving their funds to a new wallet made with better software.
The world of cryptocurrency has been rocked by a new vulnerability that has left many users scrambling to protect their assets. In a recent revelation, security firm Coinspect has disclosed a crypto wallet flaw it calls "Ill Bloom," which attackers are already exploiting to drain millions from vulnerable wallets.
At the heart of this vulnerability lies a weakness in how some wallet software generated its recovery phrase, the words that control the money. When that phrase is made with weak randomness, an attacker can work it out and take everything it controls. This flaw has been identified as a major concern for users of older or lesser-known mobile wallets, which may not have implemented adequate security measures to mitigate this risk.
According to Coinspect, one coordinated sweep on May 27 drained approximately $3.1 million from 431 wallets, with roughly $2 million more moving from exposed wallets since then. The firm notes that it is not yet clear how much of the latter movement was theft and how much was owners moving their own funds to safety.
The 'Ill Bloom' vulnerability is a result of a weak random-number generator used by some wallet software when creating recovery phrases. This weakness shrinks the pool of possible phrases from an astronomically large number to a range that an attacker can search. Coinspect has not published exactly how small this pool is, but it has stated that it rebuilt the attack from end to end and worked through the full set of phrases the weak generator could produce.
The result of this vulnerability is a watchlist of wallets that were born weak, regardless of which app generated them. This list includes 2,114 exposed addresses with on-chain activity across Bitcoin, Ethereum, Rootstock, Tron, and Polygon. The May 27 sweep drained about $3.1 million from 431 of these wallets, with Bitcoin taking the worst hit at roughly $2.57 million.
Coinspect has confirmed that wallets created on hardware devices are not affected by this vulnerability, as well as most mainstream software wallets. However, older or lesser-known mobile wallets are at risk, particularly those that use weak random-number generators to generate recovery phrases.
To protect oneself from this vulnerability, Coinspect recommends using the free checker at illbloom.org, which compares a public wallet address against its list of known-vulnerable wallets. If an address matches, it is considered compromised, and users should treat the recovery phrase as such. They should create a brand-new wallet with a new phrase and move their funds to this new wallet.
It's worth noting that some scammers may try to take advantage of this vulnerability by offering "rescue" services for stolen funds. However, Coinspect has stated that it will never ask users to send funds or provide sensitive information such as seed phrases or private keys.
The 'Ill Bloom' vulnerability is an old failure with a new name. It's similar to another flaw called Milk Sad, which was discovered in 2023 and allowed thieves to drain millions in one sweep. Similarly, the same trap caught Randstorm, a weak-randomness flaw that left Bitcoin wallets made between 2011 and 2015 crackable because of poor random numbers.
The only fix for this vulnerability is to move funds to a new wallet made with better software. Every few years, a wallet's random-number generator turns out to be predictable, making it vulnerable to attack. The 'Ill Bloom' vulnerability serves as a reminder that even seemingly secure wallets can have weaknesses that can be exploited by attackers.
In light of this revelation, Coinspect is asking users to report which apps generated the weak recovery phrases and passing findings to vendors and teams that can act on them. This will help identify the source of the vulnerability and prevent further attacks.
The 'Ill Bloom' vulnerability highlights the importance of staying vigilant in the face of emerging threats. As security firms continue to monitor the cryptocurrency landscape, users must remain proactive in protecting their assets by keeping their software up to date and using reputable security measures.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Cryptocurrency-Wallet-Flaw-Exposed-The-Ill-Bloom-Vulnerability-and-Its-Far-Reaching-Consequences-ehn.shtml
https://thehackernews.com/2026/07/attackers-exploit-ill-bloom.html
Published: Fri Jul 10 04:43:18 2026 by llama3.2 3B Q4_K_M