Ill Bloom Vulnerability Drains $5M From Thousands of Crypto Wallets

Editorial illustration for: Thousands of crypto wallets vulnerable to 'Ill Bloom' weak randomness exploit

In brief

  • Ill Bloom vulnerability affects thousands of wallets across Bitcoin, Ethereum, Polygon, Rootstock, Tron, and Solana
  • Weak recovery phrase generation in lesser-known mobile software wallets enables the exploit
  • Attackers stole at least $5 million since May 27; single attack drained $3.1 million from 431 wallets
  • Hardware wallets and most current software wallets remain unaffected
  • Coinspect released free tool to check if your address is potentially exposed

The vulnerability

Blockchain security research firm Coinspect identified the flaw as stemming from weak randomness — an insecure pseudorandom number generator — used during recovery phrase generation on certain software wallets. The vulnerability has impacted wallets generated as early as 2018. It more often occurs in lesser-known mobile software wallets, though the precise scope remains under investigation.

The attack is straightforward: weak recovery phrases can be brute-forced. An attacker with modest computational resources can derive private keys and drain funds from affected addresses. This isn't theoretical. An attack on May 27 affected 431 wallets out of 2,114 vulnerable wallets, draining a total of $3.1 million in cryptocurrency. Another $2 million was moved on Sunday from exposed wallets.

Who's safe

Not everyone is at risk. Users who generated their seed with a hardware wallet are not affected by Ill Bloom. Most current software wallets are also not vulnerable, meaning the flaw is concentrated in older or less-maintained implementations.

Coinspect has released a wallet-checking tool for users to determine whether their address is potentially exposed. If you generated your seed before the vulnerability was patched in your wallet software, the tool can flag whether you're at risk.

"If funds recently moved without your permission, this vulnerability may be why," Coinspect said.

Historical context

Ill Bloom isn't the first wallet randomness flaw. In 2023, Ledger's security team discovered that wallet seeds generated by the Trust Wallet browser extension were vulnerable to brute-force attacks. The flaw limited the total possible mnemonic combinations to roughly four billion and could allow a motivated attacker to run an attack in less than a day with just a few GPUs. Trust Wallet patched the bug before any funds were stolen.

That same year, a vulnerability in the Libbitcoin Explorer crypto wallet led to $900,000 in crypto being stolen through private key brute forcing. These incidents underscore how wallet randomness flaws can persist undetected for years, affecting thousands of users.

SlowMist posted to X on Monday that it was closely monitoring the Ill Bloom wallet weak randomness risk alert from Coinspect.

Frequently asked questions

What is the Ill Bloom vulnerability?

Ill Bloom is a weakness in certain software wallets' recovery phrase generation caused by insecure randomness. Attackers can brute-force weak recovery phrases to derive private keys and drain funds from affected wallets.

How much crypto has been stolen?

At least $5 million has been drained from exposed wallets since May 27. The largest single attack on May 27 stole $3.1 million from 431 wallets, with another $2 million moved on Sunday.

Which blockchains are affected?

Wallets at risk span Bitcoin, Ethereum, Polygon, Rootstock, Tron, and Solana. The vulnerability is concentrated in certain lesser-known mobile software wallets, not major wallet providers.

How can I check if I'm affected?

Coinspect released a free wallet-checking tool for users to determine whether their address is potentially exposed. Hardware wallet users are not affected, and most current software wallets are also not vulnerable.