Ill Bloom Exploit Drains $5M From Crypto Wallets Across Six Blockchains
July 6, 2026
Coinspect Names the Flaw as It Hits $5 Million in Losses
Blockchain security firm Coinspect disclosed a new wallet vulnerability over the weekend that it says has already emptied at least $5 million from user funds since late May. The firm nicknamed the flaw “Ill Bloom” and traced it to weaknesses in how a group of software wallets generated seed phrases, the human-readable strings that unlock a wallet’s private keys, according to an advisory reported by Cointelegraph.
The disclosure landed as the crypto market was already digesting a bruising second quarter, and it adds a fresh reminder that the risks facing everyday holders are not only price-related. For anyone tracking the latest crypto news, Ill Bloom moves security back to the top of the agenda.
Weak Randomness in Seed Generation, Traced Back to 2018
Coinspect said the root cause is an insecure pseudorandom number generator sitting inside some wallet software. When a user creates a wallet, the generator is meant to produce a large, unpredictable number, which the wallet then converts into the familiar 12- or 24-word English phrase. If the random number is not truly random, an attacker who reverse-engineers the pattern can guess those words.
The affected wallets have been exhibiting this weakness since at least 2018, according to Coinspect. That means users who created a wallet years ago may be exposed today without ever having touched the app again.
How Recovery Phrases Actually Protect Your Crypto
Every non-custodial wallet is protected by the same underlying principle: a private key known only to the owner. The recovery phrase, sometimes called a seed phrase, is simply a shorthand for that key, chosen from a fixed list of 2,048 words so it can be written down and retyped if a phone is lost.
The security of that shorthand depends entirely on how randomly the words were selected. A properly generated 12-word phrase is drawn from a pool so large that, in practical terms, guessing it is impossible. Ill Bloom shrinks that pool dramatically. Coinspect’s researchers found the reduced randomness cuts cryptographic strength “far below standard expectations,” making the phrases guessable by an attacker with the right tooling.
$3.1 Million Drained in a Single Attack on May 27
The financial trail is already visible on-chain. In a single sweep on May 27, an attacker drained roughly $3.1 million from 431 wallets, out of an identified pool of 2,114 vulnerable addresses, according to data cited by Coinspect. A second $2 million tranche moved this past weekend, pushing the total loss past the $5 million mark.
The pattern of surgical, batch-style drains fits how these attacks typically play out. Once an attacker cracks the generator, they can quietly compute the seed phrases for every wallet that used the same flawed software, then empty them in one coordinated push before defenders notice.
Six Chains and Mostly Lesser-Known Mobile Wallets
The vulnerable wallets span six major networks: Bitcoin, Ethereum, Polygon, Rootstock, Tron and Solana. That range makes clear the problem is not with any one blockchain, but with the wallet software used to interact with them.
Coinspect said the flaw appears “primarily in lesser-known mobile software wallets,” rather than in the hardware devices or top-tier apps most users hold funds in. Anyone still using an obscure mobile crypto wallet to store meaningful amounts should treat that setup as suspect until they have run the firm’s checker.
What Vulnerable Users Should Do Now
Coinspect said hardware wallets are not affected, and “most current software wallets are also not vulnerable.” Its immediate advice for potentially exposed users is direct: check first, then move funds. The firm has published a tool that lets users paste a wallet address to see whether the seed was generated using a flawed randomness source.
For anyone unsure, the operational template is well established. Analysts have long recommended generating a fresh seed on a reputable hardware or well-audited software wallet, moving assets across, and treating the older phrase as compromised. Users who buy crypto through exchanges may hold part of their balances in custody, but self-custodied funds are the ones at direct risk here.
Why Personal Storage Remains Crypto’s Weakest Link
Ill Bloom does not exploit a smart contract, a bridge or an exchange. It exploits code that ran on a user’s phone years ago and produced numbers that only looked random. The size of the loss so far, $5 million, is modest against the $75.87 million lost across 40 hacks in June, according to figures reported by BeInCrypto. What makes it striking is how quietly the flaw sat for years, and how difficult it is for a non-technical user to spot from the outside.
The pattern reinforces something that has been true through every cycle: the strength of the network is not the strength of the storage. As Coinspect put it in its own advisory, “if funds recently moved without your permission, this vulnerability may be why.” That single sentence captures the awkward reality of self-custody in 2026, where the biggest risk to a holder is often invisible until it is not.
Share Article

Madiha Riaz
Madiha is a seasoned researcher in cryptocurrency, blockchain, and emerging Web3 technologies. With a background in organic chemistry and a sharp analytical mindset, she brings scientific depth to decentralized innovation. Since discovering crypto in 2017 and investing in 2018, she’s been uncovering and sharing deep insights into how blockchain is redefining the digital asset landscape.





