Seeds of Doubt 🌱 Weak RNG in Mobile Wallets Let $3.1M Walk Out the Blockchain Door
Back to feed

Seeds of Doubt 🌱 Weak RNG in Mobile Wallets Let $3.1M Walk Out the Blockchain Door

Blockchain security firm Coinspect disclosed a vulnerability it calls "Ill Bloom," warning that thousands of crypto wallets generated with weak recovery phrases are exposed to draining attacks across multiple networks. The flaw stems from an insecure pseudorandom number generator used during seed-phrase creation in certain lesser-known mobile software wallets and dates back to wallets generated as early as 2018. Affected chains include Bitcoin ($BTC), Ethereum ($ETH), Polygon, Rootstock, Tron and Solana, according to Coinspect's disclosure on Sunday. "If funds recently moved without your permission, this vulnerability may be why," Coinspect said.

On May 27, an attacker drained 431 of roughly 2,114 vulnerable wallets for about $3.1 million, Coinspect's on-chain analysis shows. Bitcoin absorbed the largest share at $2.57 million, with a single address losing more than $1.1 million. An additional $2 million was moved from exposed wallets on Sunday, pushing the documented total to at least $5 million since May 27. Coinspect said it was not publishing details of the active exploit at this stage but released a wallet-checking tool for users to determine whether their address is potentially exposed.

"We're closely monitoring the Ill Bloom wallet weak randomness risk alert from Coinspect," SlowMist posted to X on Monday. Coinspect emphasized that hardware wallet users appear unaffected and that most current software wallets do not appear vulnerable. "Current evidence tells us that users that generated their seed with a hardware wallet are not affected," the firm said. "Further research indicates that most current software wallets are also not vulnerable," it added.

Similar weak-randomness flaws have surfaced in past wallet incidents. In 2023, Ledger's security team found that wallet seeds generated by the Trust Wallet browser extension were vulnerable to brute-force attacks because entropy generation limited mnemonic combinations to roughly four billion; Trust Wallet patched the bug before any funds were stolen. Separately that year, a vulnerability in Libbitcoin Explorer crypto wallets led to $900,000 in crypto being stolen through private key brute forcing.

Coinstruct traced the Ill Bloom exploit to a single coordinated sweep in which drained wallets sent balances to a handful of shared collector addresses within hours, and noted that the $3.1 million figure represents a lower bound as new affected addresses continue to appear. The historically exposed wallet set held up to $12.56 million at its April 2022 peak, underscoring the scale of funds sitting on weak seeds. Users whose addresses match the checker are advised to generate a fresh wallet and migrate funds rather than reimport the old phrase, though importing into another app leaves assets exposed.

Mentioned Coins

$BTC$ETH
Share:
Publishercryptonewsroom.xyz
Published—
CategorySecurity

Disclaimer: This content is for information and entertainment purposes only. It does not constitute financial, investment, legal, or tax advice. Always do your own research and consult with qualified professionals before making any financial decisions.

See our Terms of Service, Privacy Policy, and Editorial Policy.