Root cause
Some mobile software wallets generated BIP-39 mnemonic phrases using non-cryptographically-secure pseudorandom number generators (PRNG) — entropy sources like the system clock, device identifiers, or Math.random() — instead of a CSPRNG backed by OS-level hardware entropy.
Because the seed phrase's entropy space collapses to a much smaller, enumerable set (often bounded by clock resolution or a small random seed), an attacker can brute-force the private key without cracking the mnemonic word-list.
// VULNERABLE pattern seen in affected wallet software
function generateMnemonic() {
// Predictable: attacker knows approximate creation time,
// device clock resolution is typically milliseconds
const weakEntropy = (Date.now() ^ Math.random()).toString(16);
return bip39.entropyToMnemonic(weakEntropy);
}
// SECURE: always use OS-provided CSPRNG
function generateMnemonic() {
const secureEntropy = new Uint8Array(32);
crypto.getRandomValues(secureEntropy); // CSPRNG-backed
return bip39.entropyToMnemonic(
Buffer.from(secureEntropy).toString('hex')
);
}
Because blockchain addresses are deterministically derived from private keys, any wallet whose seed was generated with weak entropy can be reconstructed by an attacker who scans on-chain creation timestamps and runs a bounded enumeration against known-weak PRNG implementations.
Coinspect labelled the vulnerability class Ill Bloom and released a public checking tool at illbloom.org on approximately July 6–10, 2026.
Attack steps
| Step | Action | Detail |
|---|---|---|
| 1 | Identify vulnerable wallets | Attackers (or automated scanners) identify wallet addresses created by known vulnerable apps, inferring creation time from first on-chain transaction. |
| 2 | Enumerate entropy space | For each target, replay the weak PRNG within the time window around wallet creation, generating candidate seed phrases. |
| 3 | Derive private keys | BIP-32/BIP-44 derivation from each candidate phrase produces candidate private keys. |
| 4 | Match and drain | When the derived address matches the target, the attacker signs a sweep transaction to drain all assets. |
| 5 | Scale across chains | The same mnemonic controls keys on all BIP-44 coin types (ETH, BTC, MATIC, etc.), allowing multi-chain draining in one pass. |
Note: Hardware wallets use dedicated secure elements (HSMs) for key generation and are not affected.
Impact
- Confirmed drained: $3.1M from 431 wallets in the initial May 27 sweep; $5M+ in total losses since active exploitation began
- Wallets at risk: 2,100+ identified by Coinspect; potentially thousands more unidentified
- Affected chains: Bitcoin, Ethereum, Polygon, Rootstock, Tron, Solana (any chain where BIP-39 is used with the same derived key)
- Wallet types affected: Lesser-known mobile software wallets created from 2018 onward; hardware wallets and well-audited software wallets (e.g. MetaMask, which uses OS CSPRNG) are not named as affected
- Disclosure: Coinspect, July 2026; illbloom.org checking tool published; Venn/Dedaub/SEAL 911 reportedly alerted affected teams ahead of public disclosure
- Attribution: Unknown; exploitation pattern is automated/scripted
Lessons for auditors
- Mandatory CSPRNG audit for wallets. Any wallet codebase must use
crypto.getRandomValues()(browser/Node),os.urandom()(Python), or equivalent OS-backed CSPRNG. Review every call site that generates entropy;Math.random(),Date.now(), and similar functions are disqualifying. - Entropy source testing. During wallet security reviews, test entropy with NIST SP 800-22 or Diehard statistical test suites against the PRNG output before it reaches key derivation.
- Timestamp-bounded enumeration as a threat model. When a wallet records its own creation time on-chain (first transaction), that timestamp bounds attacker search space. Sensitive operations must not be time-seeded.
- Public key hygiene. Wallets should warn users at creation if the entropy source quality cannot be verified, and provide an entropy health check post-hoc.
- Key rotation UX. Affected users need a simple "migrate all funds to a new securely-generated wallet" UX path; protocols and dApps should not make migration difficult.