Blockchain security firm Coinspect disclosed a vulnerability dubbed "Ill Bloom" that has drained at least $5 million from thousands of crypto wallets since May 27.
"If funds recently moved without your permission, this vulnerability may be why," Coinspect said in a disclosure on Sunday, attributing the flaw to weak randomness in recovery phrase generation on certain software wallets.
The wallets at risk span Bitcoin, Ethereum, Polygon, Rootstock, Tron and Solana, Coinspect said. An attack on May 27 affected 431 wallets out of 2,114 identified as vulnerable, draining $3.1 million in cryptocurrency. Another $2 million was moved from exposed wallets on July 5.
The vulnerability has impacted wallets generated as early as 2018, with the strongest candidates being users of lesser-known mobile software wallets. Hardware wallets and most current software wallets are not affected, Coinspect said, though the firm has not published details of the active exploit.
Coinspect released a wallet-checking tool at illbloom.org for users to verify whether their addresses are exposed. SlowMist, another blockchain security firm, said it is closely monitoring the alert.
The flaw stems from an insecure pseudorandom number generator used during recovery phrase generation, making wallets susceptible to brute-force attacks. Similar vulnerabilities have emerged before. In 2023, Ledger's security team discovered that wallet seeds generated by the Trust Wallet browser extension were vulnerable to brute-force attacks, limiting mnemonic combinations to roughly four billion. That same year, a vulnerability in the Libbitcoin Explorer wallet led to $900,000 in crypto being stolen through private key brute forcing.
Coinspect said current evidence indicates users who generated their seed with a hardware wallet are not affected. The firm is not publishing details of the active exploit at this stage to prevent further attacks.
This article is for informational purposes only and does not constitute investment advice.