Security firm Coinspect has disclosed a crypto wallet flaw it calls Ill Bloom, and attackers are already using it. The flaw is in how some wallet software generated its recovery phrase, the words that control the money. When that phrase is made with weak randomness, an attacker can work it out and take everything it controls.
The firm has confirmed one coordinated sweep on May 27 that drained about $3.1 million from 431 wallets, and it told The Hacker News that a further $2.1 million in USDT was stolen from an exposed wallet afterward, pushing confirmed losses past $5 million.
As the firm puts it, "if funds recently moved without your permission, this vulnerability may be why."
Most people are probably fine. Coinspect says wallets created on hardware devices are not affected, and most mainstream software wallets are not either. The real risk sits with older or lesser-known wallets, both mobile apps and browser extensions, some dating back to 2018.
It has not named the apps involved, so the only way to know is to check. Paste your public wallet address into the free checker at illbloom.org. A match means the recovery phrase should be treated as compromised, so move your funds to a new wallet.
What actually broke
Every self-custody wallet starts with a recovery phrase, usually 12 or 24 words, also called a seed phrase. Those words are meant to be picked at random from a pool so vast that guessing them is hopeless. The affected wallets were not random enough. Their software used a weak random-number generator when it created the phrase.
That shrank the pool of possible phrases from astronomically large to a range that an attacker could search. The firm has not published exactly how small.
It says it rebuilt the attack from end to end. It worked through the full set of phrases the weak generator could produce, derived the wallet addresses each one leads to, then checked public blockchain records for the addresses still holding funds.
The result is a watchlist of wallets that were born weak, regardless of which app generated them.
The theft, by the numbers
As of June 30, Coinspect had traced 2,114 exposed addresses with on-chain activity across Bitcoin, Ethereum, Rootstock, Tron, and Polygon. The May 27 sweep drained about $3.1 million from 431 of them. Bitcoin took the worst of it at roughly $2.57 million, and a single Bitcoin address lost more than $1.1 million on its own.
The researchers could tell it was one coordinated theft because hundreds of unrelated wallets sent their balances to the same few collection addresses within hours.
The $2.1 million theft that followed shows how exposed these wallets stay. Coinspect told The Hacker News the May 27 attacker had already compromised one owner's seed but left that USDT sitting on another chain. Coinspect spotted the money still at risk on June 10 and tried to warn the owner through exchanges the address had used, but the alert did not arrive in time. It could derive the exposed keys itself yet could not move the funds to safety, because "once a seed phrase is compromised, possessing the key no longer proves legitimate ownership."
The researchers call the losses a floor, not a ceiling. They told The Hacker News the exposed set has grown since the June 30 snapshot, not because new weak wallets were created but because it keeps finding more vulnerable seed phrases along other generation paths; the checker already reflects the larger list, and the search continues. At its 2022 peak, the same set was worth a reconstructed $12.56 million, though most of that value had already fallen with the market before the May 27 sweep.
What to do
The checker at illbloom.org compares a public wallet address against Coinspect's list of known-vulnerable wallets. It accepts Bitcoin, Tron, Solana, and Ethereum-style addresses (Ethereum, Polygon, BNB, and other EVM chains).
One weak phrase can expose funds on every chain it controls, so check every address tied to the same seed, not just the ones already drained. A clean result is not a guarantee, since the list is incomplete, but a match is a clear warning.
If your address matches:
- Treat the recovery phrase as compromised. The money is not safe just because it has not moved yet.
- Create a brand-new wallet with a brand-new phrase. You should see a fresh set of 12 to 24 words. If an app asks you to type in your old phrase, you are reopening the weak wallet, not making a new one.
- Move your funds to the new wallet. Reinstalling the old app or importing the same phrase somewhere else changes nothing.
A wallet that was spared is not safe either. Coinspect told The Hacker News the May 27 attacker skipped accounts holding less than about $5, but those seeds are compromised all the same, and anything deposited into them later can be taken. If your address matches, stop using that wallet whether or not it has lost a cent. Many affected users have no idea they are exposed.
One more warning. Scares like this pull in scammers who offer to "rescue" your money. A real checker never needs a secret. Coinspect says it "will never ask for seed phrases, private keys, signatures, or approvals, or ask users to send funds to 'recover' or protect a wallet."
Do not type your recovery phrase, private key, password, or backup file into any site or message, ever. A hardware wallet is the safest place to move funds, but generate a fresh phrase on the device rather than importing the old one.
We have seen this before
This is an old failure with a new name. Coinspect took "Ill Bloom" from "illness blossom," the first weak phrase its generator produces, the same way Milk Sad was named after "milk sad" in 2023. That bug (CVE-2023-39910), in the Libbitcoin Explorer command-line tool, let thieves drain millions in one sweep that July.
A close cousin (CVE-2023-31290) hit the Trust Wallet browser extension the same year, crackable in under a day.
The same trap caught Randstorm, the weak-randomness flaw THN covered in 2023, which left Bitcoin wallets made between 2011 and 2015 crackable because the browser code behind them used poor random numbers.
The researchers noted then that the flaw was baked into those wallets forever, and the only fix was to move the funds to a new wallet made with better software. That is exactly the fix for Ill Bloom.
What's next
Every few years, a wallet's random-number generator turns out to be predictable. Wallets that looked safe become drainable. The fix is always the same: move the money somewhere new. The wallet looks fine, and the words look random, but the machine that picked them was predictable. A predictable key is barely a key at all.
Coinspect told The Hacker News it has now identified five vulnerable wallet implementations. It is not naming them publicly at this stage. It traced them through on-chain funding links, GitHub searches for matching code, and, for some, by downloading and reverse-engineering closed-source Android apps and Chrome extensions to see how they generated recovery phrases. For now the five stay unnamed, and it says there are likely others it has not found.
Updated July 10, 2026 with Coinspect's responses to The Hacker News.




