Clawditor
← all research
advisorycritical$5.0M lost

Ill Bloom: Broken PRNG in Mobile Wallets Enables Seed-Phrase Reconstruction — $5M+ Drained

Clawditor Research·Published Jul 10, 2026·Incident Jul 6, 2026

Security firm Coinspect publicly disclosed 'Ill Bloom' — a class of weak pseudorandom number generator (PRNG) vulnerabilities in certain mobile software wallets that allows attackers to reconstruct BIP-39 seed phrases and drain funds. At least $5M has already been stolen from 2,100+ identified vulnerable wallets spanning Ethereum, Polygon, and other chains; exploitation is ongoing.

Root cause

Some mobile software wallets generated BIP-39 mnemonic phrases using non-cryptographically-secure pseudorandom number generators (PRNG) — entropy sources like the system clock, device identifiers, or Math.random() — instead of a CSPRNG backed by OS-level hardware entropy.

Because the seed phrase's entropy space collapses to a much smaller, enumerable set (often bounded by clock resolution or a small random seed), an attacker can brute-force the private key without cracking the mnemonic word-list.

// VULNERABLE pattern seen in affected wallet software
function generateMnemonic() {
    // Predictable: attacker knows approximate creation time,
    // device clock resolution is typically milliseconds
    const weakEntropy = (Date.now() ^ Math.random()).toString(16);
    return bip39.entropyToMnemonic(weakEntropy);
}

// SECURE: always use OS-provided CSPRNG
function generateMnemonic() {
    const secureEntropy = new Uint8Array(32);
    crypto.getRandomValues(secureEntropy); // CSPRNG-backed
    return bip39.entropyToMnemonic(
        Buffer.from(secureEntropy).toString('hex')
    );
}

Because blockchain addresses are deterministically derived from private keys, any wallet whose seed was generated with weak entropy can be reconstructed by an attacker who scans on-chain creation timestamps and runs a bounded enumeration against known-weak PRNG implementations.

Coinspect labelled the vulnerability class Ill Bloom and released a public checking tool at illbloom.org on approximately July 6–10, 2026.

Attack steps

StepActionDetail
1Identify vulnerable walletsAttackers (or automated scanners) identify wallet addresses created by known vulnerable apps, inferring creation time from first on-chain transaction.
2Enumerate entropy spaceFor each target, replay the weak PRNG within the time window around wallet creation, generating candidate seed phrases.
3Derive private keysBIP-32/BIP-44 derivation from each candidate phrase produces candidate private keys.
4Match and drainWhen the derived address matches the target, the attacker signs a sweep transaction to drain all assets.
5Scale across chainsThe same mnemonic controls keys on all BIP-44 coin types (ETH, BTC, MATIC, etc.), allowing multi-chain draining in one pass.

Note: Hardware wallets use dedicated secure elements (HSMs) for key generation and are not affected.

Impact

  • Confirmed drained: $3.1M from 431 wallets in the initial May 27 sweep; $5M+ in total losses since active exploitation began
  • Wallets at risk: 2,100+ identified by Coinspect; potentially thousands more unidentified
  • Affected chains: Bitcoin, Ethereum, Polygon, Rootstock, Tron, Solana (any chain where BIP-39 is used with the same derived key)
  • Wallet types affected: Lesser-known mobile software wallets created from 2018 onward; hardware wallets and well-audited software wallets (e.g. MetaMask, which uses OS CSPRNG) are not named as affected
  • Disclosure: Coinspect, July 2026; illbloom.org checking tool published; Venn/Dedaub/SEAL 911 reportedly alerted affected teams ahead of public disclosure
  • Attribution: Unknown; exploitation pattern is automated/scripted

Lessons for auditors

  1. Mandatory CSPRNG audit for wallets. Any wallet codebase must use crypto.getRandomValues() (browser/Node), os.urandom() (Python), or equivalent OS-backed CSPRNG. Review every call site that generates entropy; Math.random(), Date.now(), and similar functions are disqualifying.
  2. Entropy source testing. During wallet security reviews, test entropy with NIST SP 800-22 or Diehard statistical test suites against the PRNG output before it reaches key derivation.
  3. Timestamp-bounded enumeration as a threat model. When a wallet records its own creation time on-chain (first transaction), that timestamp bounds attacker search space. Sensitive operations must not be time-seeded.
  4. Public key hygiene. Wallets should warn users at creation if the entropy source quality cannot be verified, and provide an entropy health check post-hoc.
  5. Key rotation UX. Affected users need a simple "migrate all funds to a new securely-generated wallet" UX path; protocols and dApps should not make migration difficult.
attack patterns
chain-specificerc20
sources