Blockchain security research firm Coinspect has announced that thousands of crypto wallets are at risk of being emptied due to poorly constructed recovery phrases. The company named this vulnerability “Ill Bloom”. The findings show that some wallets were specifically targeted using seed phrases generated with lower randomness than expected.
Coinspect stated that this vulnerability could be one of the possible reasons for users experiencing unauthorized fund movement.
Which wallets might be affected?
It was reported that the vulnerability affected wallets created as early as 2018, and was mostly seen in lesser-known mobile software wallets. According to Coinspect data, at least $5 million worth of crypto assets have been withdrawn from risky wallets since May 27. While the company pointed out that there is a possibility of similar use in different networks and additional addresses, it noted that the number of wallets at risk may be higher than current findings.
In the attack on May 27, 431 of 2,114 vulnerable wallets were directly affected. A total of $3.1 million in crypto assets were moved in this incident. On Sunday, approximately 2 million dollars more were removed from the open wallets.
Mini dictionary: Seed phrase is a sequence of words used to restore a crypto wallet. Randomness refers to the basic security element that makes these words difficult to guess.
The picture is calmer for hardware wallets
Coinspect said that the available evidence indicates that users who created seeds using hardware wallets were not affected by this incident. The company also added that the majority of current software wallets do not appear to be vulnerable. It is considered that the strongest risk group is users who create seeds in uncommon mobile software wallets.
Coinspect has not shared the technical details of the active exploit for now. In response, it released a scanning tool so that users can check whether their addresses are affected. Blockchain security company SlowMist also announced in its post on X on Monday that it is closely monitoring Coinspect’s Ill Bloom warning.
Similar vulnerabilities have been seen before
This is not the first time such vulnerabilities have emerged in the crypto industry. In 2023, the Ledger security team found that some wallet seeds created with the Trust Wallet browser add-on were vulnerable to brute force attacks. It was stated that the problem was caused by the entropy structure produced for new addresses and limited the possible word combinations to approximately 4 billion. This allowed the attack to be executed in less than a day with sufficient processing power.
In the same year, another vulnerability discovered in Libbitcoin Explorer led to private keys being guessed using the brute force method, and approximately 900 thousand dollars worth of crypto assets were stolen. The latest development has brought to the agenda once again how critical randomness quality is, especially in lesser-known mobile wallet solutions.


