Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1860+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets
Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets
NEWS

Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets

Security firm Coinspect has disclosed a critical crypto wallet flaw called Ill Bloom that exploits weak pseudorandom number generation in wallet seed creation, enabling attackers to derive private keys and drain funds. Over $5 million has already been stolen.

Dylan H.

News Desk

July 12, 2026
4 min read

Over $5 Million Stolen via Weak Wallet Randomness Flaw

Security research firm Coinspect has disclosed a cryptocurrency wallet vulnerability it calls Ill Bloom, and active exploitation is already underway. Attackers have stolen over $5 million from affected wallets by exploiting a flaw in how certain wallet software generates recovery seed phrases.

The core issue: when a wallet's seed phrase is generated using a weak or predictable pseudorandom number generator (PRNG), an attacker can systematically enumerate the reduced entropy space to derive the corresponding private keys — without ever having direct access to the victim's device.


How the Ill Bloom Attack Works

The Flaw: Weak Randomness at Wallet Creation

A cryptocurrency wallet's security depends entirely on the randomness of its seed phrase — the 12 to 24 word recovery phrase that encodes the private key controlling all associated funds. When the software generating that phrase relies on a flawed PRNG (one with insufficient entropy, a predictable seed, or a broken implementation), the space of possible seed phrases shrinks dramatically.

Where a properly generated 24-word BIP-39 phrase has 256 bits of entropy, wallets affected by Ill Bloom may produce phrases with only 32 to 64 bits of effective entropy — a range that modern hardware can brute-force offline in hours to days.

Attack Flow

1. Attacker identifies on-chain wallets created during periods of known vulnerable library use
2. For each target address, attacker runs offline PRNG enumeration against the reduced entropy space
3. Matching seed phrases are derived and corresponding private keys generated
4. Attacker signs and broadcasts transactions draining the wallet balance
5. Funds are swept to attacker-controlled addresses and mixed

The attack is entirely off-chain until the final transaction broadcast — it leaves no trace in the target wallet's transaction history until the moment funds are drained.


Affected Wallets and Libraries

Coinspect's disclosure indicates the vulnerability affects wallets generated by certain software libraries during specific time windows, primarily between 2018 and 2024. The firm has not named all affected libraries publicly to allow coordinated disclosure, but confirmed:

  • The flaw affects multiple wallet implementations across Bitcoin, Ethereum, and Solana ecosystems
  • Wallets generated on mobile devices and in browser-based web wallets are among those at higher risk
  • Hardware wallets using dedicated secure elements are not affected

Scale of Active Exploitation

MetricValue
Confirmed stolen$5M+
Assets targetedBTC, ETH, SOL
Wallet creation window2018–2024
Exploitation statusActive as of July 2026

Coinspect notes the exploitation appears targeted — attackers are prioritizing wallets with significant balances rather than conducting mass sweeps of all potentially affected addresses.


How to Check If Your Wallet Is Affected

  1. Use Coinspect's checker tool — the firm is providing a tool to assess whether specific wallet addresses were generated with vulnerable software. Check the Coinspect website for availability.
  2. Check your wallet software version and source — wallets generated by well-maintained, reputable software using OS-level randomness (/dev/urandom, CryptGenRandom) are typically safe.
  3. Review wallet creation date — if the wallet was created between 2018 and 2024 using mobile or browser-based software, treat it as potentially affected until verified.

Immediate Actions

If You May Be Affected

  1. Create a new wallet using reputable software (e.g., latest version of a well-audited desktop client) or a hardware wallet (Ledger, Trezor)
  2. Transfer all funds from potentially affected wallets to the new wallet immediately
  3. Do not reuse the old wallet addresses — treat them as permanently compromised
  4. Monitor affected addresses for unauthorized outbound transactions

For Ongoing Security

  • Use hardware wallets for significant cryptocurrency holdings; their secure elements use certified random number generators
  • Generate wallets offline using air-gapped devices when high value is involved
  • Periodically audit wallet software for security advisories from the maintainers

Why This Class of Vulnerability Persists

Cryptographic PRNG failures in wallet software are not new — similar issues have surfaced in Android's Java SecureRandom implementation (2013), early Bitcoin wallet software, and various web-based generators. The challenge is that:

  • The flaw is only detectable years later when researchers reverse-engineer the generation algorithm
  • Affected wallets continue to function normally — there is no visible indication of the weakness
  • Funds remain at risk indefinitely unless proactively migrated

The Ill Bloom disclosure reinforces the importance of using formally audited wallet software and hardware security modules for any significant cryptocurrency storage.


Source: The Hacker News / Coinspect, July 2026

Related Reading

  • ZeroDayRAT Mobile Spyware Enables Total Surveillance of iOS
  • CVE-2026-15488: Unrestricted File Upload in shiroiAdmin
#Cryptocurrency#Vulnerability#Wallet Security#The Hacker News#Coinspect#PRNG

Related Articles

EngageLab SDK Flaw Exposed 50M Android Users, Including 30M

A now-patched security vulnerability in the widely used EngageLab Android SDK allowed apps on the same device to bypass the Android security sandbox and...

5 min read

Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild

A critical CVSS 9.8 authentication bypass vulnerability in Oracle E-Business Suite's Payments module is being actively exploited in the wild, according to...

4 min read

236,000 DCloud Uni-App Sites Powering Crypto Scams and Wallet Drainers

Infoblox researchers have uncovered over 236,000 websites built on the legitimate DCloud Uni-App framework being weaponized for investment scams,...

5 min read
Back to all News