Coinspect Warns of 'Ill Bloom' Security Flaw Threatening Thousands of Cryptocurrency Wallets

Coinspect Warns of 'Ill Bloom' Security Flaw Threatening Thousands of Cryptocurrency Wallets

A significant number of cryptocurrency wallets spanning various blockchain networks face potential compromise stemming from inadequate recovery phrase creation processes.

A substantial number of cryptocurrency wallets face the threat of being completely emptied as a result of utilizing recovery phrases that are less secure than they should be, a security weakness that blockchain security research company Coinspect has named "Ill Bloom."

According to a disclosure made by Coinspect on Sunday, the vulnerable wallets are distributed across Bitcoin, Ethereum, Polygon, Rootstock, Tron and Solana networks, with the problem stemming from insufficient randomness — specifically, an unsafe pseudorandom number generator — employed during the creation of recovery phrases on specific software wallet applications.

"If funds recently moved without your permission, this vulnerability may be why," Coinspect said.

The security flaw has affected wallets that were created as far back as 2018 and is more frequently found in less popular mobile software wallet applications. Since May 27, at least $5 million has been siphoned from compromised wallets, although there may have been additional exploitations across other networks and wallet addresses, suggesting the total number of at-risk wallets could be significantly larger.

Analyzed address set data
A snapshot of one analyzed address set as of June 30. Source: Coinspect

According to Coinspect, specific details regarding the ongoing exploit are being withheld from publication at the present time, though the firm has made available a wallet-verification tool that allows users to determine if their address might be at risk.

"We're closely monitoring the Ill Bloom wallet weak randomness risk alert from Coinspect," SlowMist posted to X on Monday.

Available data reveals that during the May 27 attack, 431 wallets were compromised out of a total of 2,114 vulnerable wallets, resulting in the theft of $3.1 million worth of cryptocurrency. An additional $2 million was transferred from exposed wallets on Sunday.

Chart showing stolen amounts per blockchain
The historical sum of stolen amounts per chain in the May 27 attack. Source: Coinspect

"Current evidence tells us that users that generated their seed with a hardware wallet are not affected," said Coinspect.

"Further research indicates that most current software wallets are also not vulnerable," it added. "The strongest candidates are users who generated their seed in less widely used mobile software wallets."

Weak wallet seeds cause headaches

This particular category of security vulnerability has surfaced on multiple occasions in previous years. During 2023, the security team at Ledger uncovered that wallet seeds created by the Trust Wallet browser extension were susceptible to brute-force attack methods.

The vulnerability was located in the wallet's entropy generation mechanism for creating new addresses, which reduced the total number of possible mnemonic combinations to approximately four billion and would enable a determined attacker to execute an assault in under 24 hours using only a handful of GPUs. Trust Wallet successfully patched the security issue before any user funds were compromised.

During that same year, a security weakness in the Libbitcoin Explorer cryptocurrency wallet resulted in $900,000 worth of crypto being taken through private key brute forcing techniques.

← Back to Blog