Blockchain security firm Coinspect has revealed that thousands of cryptocurrency wallets face the risk of being emptied, due to insecurely generated recovery phrases. The company has named this vulnerability “Ill Bloom.” Findings indicate that wallets using seed phrases created with lower-than-expected randomness are particularly at risk of being targeted by attackers.
Which wallets are potentially at risk?
The vulnerability has reportedly affected wallets created as far back as 2018, with the issue observed mostly in lesser-known mobile software wallets. According to Coinspect’s data, at least $5 million worth of crypto assets have been withdrawn from at-risk wallets since May 27. The company also highlighted the possibility that similar weaknesses could exist across different blockchain networks and addresses, suggesting that the actual number of compromised wallets could be higher than currently detected.
In the initial attack on May 27, 431 out of 2,114 exposed wallets were directly compromised. This incident resulted in the transfer of some $3.1 million worth of crypto assets. On Sunday, nearly $2 million more was stolen from remaining vulnerable wallets.
Mini glossary: A seed phrase is a list of words used to restore access to a crypto wallet. Randomness is the key security feature that makes these words hard to guess.
Coinspect noted that for users who experienced unauthorized fund transfers, this vulnerability could be among the potential causes.
Hardware wallets considered safer
Coinspect emphasized that, based on current evidence, users who generated their seed phrases with a hardware wallet are not affected by this incident. The company also indicated that most up-to-date software wallets do not appear vulnerable. The highest risk group includes users who generated their seed phrases in uncommon mobile software wallets.
Although Coinspect has not yet released the technical details behind this active exploitation, it has provided a scanning tool for users to check whether their addresses are at risk. Blockchain security firm SlowMist stated on X on Monday that it is closely monitoring Coinspect’s Ill Bloom warning.
Similar vulnerabilities in the past
Such vulnerabilities are not new to the crypto industry. In 2023, Ledger’s security team identified that some seed phrases generated via the Trust Wallet browser extension were susceptible to brute-force attacks. The flaw stemmed from the entropy structure used in creating new addresses, which limited possible word combinations to about 4 billion—making it feasible for attackers to compromise a wallet in less than a day with enough processing power.
That same year, a different flaw was discovered in Libbitcoin Explorer, allowing private keys to be brute-forced and leading to the theft of roughly $900,000 in crypto assets. The latest incident has once again brought attention to the critical importance of randomness quality in lesser-known mobile wallet solutions.




