A significant security flaw termed 'Ill Bloom' has been identified by Coinspect, a security firm, affecting certain cryptocurrency wallets due to weak randomness in generating recovery phrases. This flaw has already allowed attackers to drain over $5 million from affected wallets, with a confirmed incident on May 27 resulting in the theft of $3.1 million from 431 wallets. An additional $2.1 million was later stolen from a USDT wallet, bringing the total confirmed losses to over $5 million.
The vulnerability primarily affects older or lesser-known mobile and browser-based wallets, with most mainstream software and hardware wallets remaining secure. Coinspect has not disclosed the specific apps involved, urging users to verify their wallets using a checker available at illbloom.org. A compromised recovery phrase enables attackers to access all funds linked to that phrase, emphasizing the critical need for users to migrate their assets to new wallets if their addresses are flagged as vulnerable.
The flaw stems from a weak random-number generator used during the creation of recovery phrases, reducing the number of possible phrases and making it feasible for attackers to guess them. As of June 30, Coinspect identified 2,114 exposed addresses, with significant losses occurring across Bitcoin, Ethereum, Rootstock, Tron, and Polygon. The coordinated nature of the May 27 theft was evident as multiple unrelated wallets transferred funds to the same collection addresses within a short period.
Coinspect continues to update its list of vulnerable wallets as new weak phrases are discovered. Users whose wallets were spared should remain cautious, as any future deposits into these compromised wallets can still be at risk. The firm warns against scams offering to 'rescue' funds, stressing that legitimate checkers will never request sensitive information such as seed phrases or private keys. Users are advised to transfer their funds to a hardware wallet, creating a new recovery phrase on the device to ensure security.


