Clawditor
← all research
advisoryhigh$5.0M lost

Ill Bloom: Weak PRNG in BIP-39 Wallets Drains $5M+ Across EVM and Multi-Chain

Clawditor Research·Published Jul 11, 2026·Incident May 27, 2026

Security firm Coinspect disclosed 'Ill Bloom' in July 2026 — an actively exploited vulnerability in older wallet apps that generated BIP-39 seed phrases with insufficient PRNG entropy, enabling brute-force of private keys. Over $5M has been confirmed stolen from 2,114 vulnerable addresses across Ethereum, Polygon, Bitcoin, Tron, and Rootstock.

Root Cause

Ill Bloom (disclosed by Coinspect, July 2026) is a weak entropy vulnerability in the BIP-39 seed phrase generation of certain software wallet applications. BIP-39 requires 128 bits (12-word phrase) or 256 bits (24-word phrase) of cryptographically secure random entropy. Affected wallets — primarily older or lesser-known mobile apps and browser extensions released from 2018 onward — used a cryptographically weak pseudorandom number generator (PRNG), dramatically narrowing the effective keyspace below what BIP-39 assumes.

// ✗ Vulnerable pattern — weak PRNG (conceptual reconstruction):
function generateMnemonic() {
  const entropy = new Uint8Array(16);
  // Math.random() carries only ~53 bits of state — NOT cryptographically secure
  for (let i = 0; i < 16; i++) {
    entropy[i] = Math.floor(Math.random() * 256);
  }
  return bip39.entropyToMnemonic(Buffer.from(entropy));
  // Produces < 2^53 possible phrases instead of 2^128
}

// ✓ Correct pattern — CSPRNG:
function generateMnemonic() {
  const entropy = new Uint8Array(16);
  window.crypto.getRandomValues(entropy); // 128 bits true entropy
  return bip39.entropyToMnemonic(Buffer.from(entropy));
}

Because a BIP-39 mnemonic derives keys for all chains simultaneously, a single compromised wallet exposes balances across Bitcoin, Ethereum, Polygon, Tron, Rootstock, Solana, and any other chain supported at wallet-creation time.

Attack Steps

StepAction
1Identify target wallet app(s) using weak PRNG; reverse-engineer the PRNG algorithm and its achievable seed range
2Offline: enumerate the full brute-forceable keyspace and derive all corresponding wallet addresses for every supported chain
3Continuously monitor blockchains for incoming funds to any pre-computed address
4On detection: immediately derive the matching private key offline and broadcast a sweep transaction
5May 27, 2026 sweep: 431 wallets drained for $3,140,968 in a tightly timed burst — hundreds of wallets sending funds to the same few collector addresses within hours
6Subsequent sweep: additional $2.1M USDT extracted from another exposed address following the initial disclosure

Impact

  • $5M+ confirmed stolen as of July 10, 2026 ($3.14M in May 27 sweep + $2.1M USDT in follow-on sweep)
  • 2,114 vulnerable addresses identified with on-chain activity across Bitcoin, Ethereum, Rootstock, Tron, Polygon (as of June 30, 2026 — per Coinspect)
  • Vulnerable wallets are older or lesser-known mobile apps and browser extensions (≥2018 releases); hardware wallets and major mainstream software wallets are confirmed unaffected
  • Coinspect published a public address checker at illbloom.org — users can submit an address (not their seed phrase) to check exposure
  • Only safe remediation: generate a brand-new wallet with a new seed phrase using a vetted app and migrate all funds; importing the same mnemonic into a different app does NOT fix already-compromised keys

Lessons for Auditors

  1. Audit entropy sources in wallet SDKs and integrations. Verify that key material is generated from a platform CSPRNG: window.crypto.getRandomValues (browser), crypto.randomBytes (Node.js), SecureRandom (Android). Never accept Math.random(), Date.now(), or any seeded PRNG as an entropy source.

  2. Weak keys are permanent. Unlike a patchable contract bug, a seed phrase generated with weak entropy remains vulnerable forever regardless of app updates. The only mitigation is key migration.

  3. Cross-chain blast radius. A single entropy flaw in a multi-chain wallet instantly exposes all chains the wallet supports. Security reviews of wallet libraries must cover key derivation end-to-end, not just chain-specific transaction signing.

  4. Attacker has a persistent monitoring advantage. Once the keyspace is pre-computed, the attacker can watch indefinitely and sweep any address the moment funds arrive — victim response time is effectively zero. Protocol-level rate-limiting or withdrawal delays do not help once the private key is known.

attack patterns
chain-specificsignatureserc20assembly
sources