Root Cause
Ill Bloom (disclosed by Coinspect, July 2026) is a weak entropy vulnerability in the BIP-39 seed phrase generation of certain software wallet applications. BIP-39 requires 128 bits (12-word phrase) or 256 bits (24-word phrase) of cryptographically secure random entropy. Affected wallets — primarily older or lesser-known mobile apps and browser extensions released from 2018 onward — used a cryptographically weak pseudorandom number generator (PRNG), dramatically narrowing the effective keyspace below what BIP-39 assumes.
// ✗ Vulnerable pattern — weak PRNG (conceptual reconstruction):
function generateMnemonic() {
const entropy = new Uint8Array(16);
// Math.random() carries only ~53 bits of state — NOT cryptographically secure
for (let i = 0; i < 16; i++) {
entropy[i] = Math.floor(Math.random() * 256);
}
return bip39.entropyToMnemonic(Buffer.from(entropy));
// Produces < 2^53 possible phrases instead of 2^128
}
// ✓ Correct pattern — CSPRNG:
function generateMnemonic() {
const entropy = new Uint8Array(16);
window.crypto.getRandomValues(entropy); // 128 bits true entropy
return bip39.entropyToMnemonic(Buffer.from(entropy));
}
Because a BIP-39 mnemonic derives keys for all chains simultaneously, a single compromised wallet exposes balances across Bitcoin, Ethereum, Polygon, Tron, Rootstock, Solana, and any other chain supported at wallet-creation time.
Attack Steps
| Step | Action |
|---|---|
| 1 | Identify target wallet app(s) using weak PRNG; reverse-engineer the PRNG algorithm and its achievable seed range |
| 2 | Offline: enumerate the full brute-forceable keyspace and derive all corresponding wallet addresses for every supported chain |
| 3 | Continuously monitor blockchains for incoming funds to any pre-computed address |
| 4 | On detection: immediately derive the matching private key offline and broadcast a sweep transaction |
| 5 | May 27, 2026 sweep: 431 wallets drained for $3,140,968 in a tightly timed burst — hundreds of wallets sending funds to the same few collector addresses within hours |
| 6 | Subsequent sweep: additional $2.1M USDT extracted from another exposed address following the initial disclosure |
Impact
- $5M+ confirmed stolen as of July 10, 2026 ($3.14M in May 27 sweep + $2.1M USDT in follow-on sweep)
- 2,114 vulnerable addresses identified with on-chain activity across Bitcoin, Ethereum, Rootstock, Tron, Polygon (as of June 30, 2026 — per Coinspect)
- Vulnerable wallets are older or lesser-known mobile apps and browser extensions (≥2018 releases); hardware wallets and major mainstream software wallets are confirmed unaffected
- Coinspect published a public address checker at illbloom.org — users can submit an address (not their seed phrase) to check exposure
- Only safe remediation: generate a brand-new wallet with a new seed phrase using a vetted app and migrate all funds; importing the same mnemonic into a different app does NOT fix already-compromised keys
Lessons for Auditors
-
Audit entropy sources in wallet SDKs and integrations. Verify that key material is generated from a platform CSPRNG:
window.crypto.getRandomValues(browser),crypto.randomBytes(Node.js),SecureRandom(Android). Never acceptMath.random(),Date.now(), or any seeded PRNG as an entropy source. -
Weak keys are permanent. Unlike a patchable contract bug, a seed phrase generated with weak entropy remains vulnerable forever regardless of app updates. The only mitigation is key migration.
-
Cross-chain blast radius. A single entropy flaw in a multi-chain wallet instantly exposes all chains the wallet supports. Security reviews of wallet libraries must cover key derivation end-to-end, not just chain-specific transaction signing.
-
Attacker has a persistent monitoring advantage. Once the keyspace is pre-computed, the attacker can watch indefinitely and sweep any address the moment funds arrive — victim response time is effectively zero. Protocol-level rate-limiting or withdrawal delays do not help once the private key is known.