Ill Bloom Vulnerability: How a Weak Recovery Phrase Costs Millions
Security

Ill Bloom Vulnerability: How a Weak Recovery Phrase Costs Millions

July 7, 20264 min read

Thousands of crypto wallets across several blockchains turned out to be vulnerable because of weak recovery phrase generation. Security researchers at Coinspect named the issue Ill Bloom and reported that at least $5 million has already been drained because of it. If your wallet was created by a mobile app that isn't exactly a household name, it's worth checking your address as soon as possible.

What Is the Ill Bloom Vulnerability?

Coinspect disclosed the finding on Sunday. Some software wallets generated recovery phrases using a weak random number generator. Instead of a truly unpredictable sequence of words, the device produced combinations that are easier to guess or brute-force.

Attacks like this are especially dangerous because the victim sees no warning signs at all. There's no phishing email, no suspicious link, the money simply disappears from the address in one moment. The company isn't disclosing technical details of the mechanism itself, so as not to hand attackers a roadmap to other vulnerable wallets. Instead, researchers released a free tool that lets an address owner check whether their wallet falls into the risk group without exposing the private key.

The issue affects addresses on Bitcoin, Ethereum, Polygon, Rootstock, Tron, and Solana. The oldest affected wallets date back to 2018, so the flaw has existed for years without drawing much scrutiny. Coinspect warned that if funds recently moved without your permission, this vulnerability could be the reason.

Bottom line: Weak randomness in recovery phrase generation lets attackers guess someone else's private key and drain funds without a password or phishing.

How Does a Weak Random Number Generator Lead to Theft?

A recovery phrase, a set of 12 or 24 words, is effectively the password to everything in a wallet. The app generates it from a random number, and the fewer possible outcomes that generator can produce, the easier it is for an attacker's computer to try every combination.

Most wallets draw a recovery phrase from a standard list of 2,048 words, and each word encodes a certain amount of entropy. If the device's random number generator produces predictable or repeating values, the real entropy drops sharply, even though the phrase looks perfectly ordinary and indistinguishable from a strong one.

That's why a user has no way to tell a weak recovery phrase from a strong one just by looking at it. The problem hides in the app's code, not in the words themselves or how many there are. When the randomness source is weak, the real number of possible recovery phrases drops sharply. Attackers don't need access to the device itself. It's enough to guess the weak generator's algorithm, then brute-force the limited set of possible phrases offline, with no interaction with the victim at all.

Reliable wallets, by contrast, use cryptographically secure random number generators that draw entropy from hardware sources on the device, such as touchscreen or microphone noise. That approach makes the outcome unpredictable even if an attacker knows the generator's algorithm.

  • Randomness source: a weak generator sharply cuts the number of possible recovery phrases
  • Wallet age matters, the oldest affected addresses date back to 2018
  • Hardware wallets don't rely on the same flawed generator and remain safe
  • Most popular current software wallets weren't affected either, according to Coinspect
Ill Bloom by the Numbers
Chains affectedBitcoin, Ethereum, Polygon, Rootstock, Tron, Solana
Drained since May 27$5 million+
May 27 attack431 of 2,114 wallets, $3.1 million
Additional drain on July 5$2 million

Has This Happened Before?

Weak recovery phrase generation isn't new to the industry. In 2023, Ledger's security team found that the Trust Wallet browser extension generated recovery phrases from a limited pool of roughly four billion combinations. An attacker could brute-force that in under a day using just a few consumer graphics cards. Trust Wallet shipped a fix before anyone actually lost funds. The issue only got fixed after security researchers publicly disclosed the details, meaning that without outside pressure it could have stayed unnoticed for much longer.

That same year, a flaw in the Libbitcoin Explorer wallet led to $900,000 stolen through private key brute-forcing. The pattern keeps repeating. Weak randomness shows up again and again as a cause of stolen funds, and the victims are usually people using less popular or outdated tools.

Both 2023 cases share one detail. The flaw wasn't in the blockchain itself but in a specific app that implemented random number generation incorrectly. That means a wallet's safety depends less on which coin it supports and more on the quality of the developer's code. The practical lesson for an average user is simple. A wallet's age and origin often matter more than the name of the network holding the funds.

What Wallet Owners Should Do Now

The simplest step is checking your address with Coinspect's tool to confirm your wallet isn't in the risk group. Hardware wallet owners have nothing to worry about, since the flaw doesn't touch them. The addresses that deserve the most attention are ones created in less popular mobile apps several years ago.

If you're not sure when or in which app your current wallet was created, it's safer to treat it as potentially vulnerable and move the funds rather than rely on guesswork. Security experts also recommend checking an app's reputation before trusting it with funds. It helps to know whether the code has passed an independent audit, and how long the developer has been around. A new wallet should be downloaded only from the developer's official site or a verified app store, never from a link shared on social media or in a messaging app.

If a recovery phrase was generated under those conditions, it makes sense to move funds to a new wallet with a solid track record and generate a fresh phrase. Coinspect hasn't disclosed exploit details yet, and SlowMist has already confirmed it's tracking the situation alongside other researchers. The Ill Bloom case is a reminder. Wallet security depends not just on the password itself but on the quality of the code that generates it. For crypto holders, the case is one more reminder of a basic self-custody rule. The less established an app's reputation, the more carefully its key storage and generation deserve to be checked.

Comments

Your email address will not be published. Required fields are marked *

or verify by email