Hackers Exploit ‘Ill Bloom’ Flaw to Steal Over $5M from Crypto Wallets

Security firm Coinspect has uncovered a critical vulnerability, dubbed ‘Ill Bloom,’ affecting certain cryptocurrency wallets. This flaw arises from inadequate randomness in generating recovery phrases, enabling attackers to predict these phrases and gain unauthorized access to associated funds.

On May 27, a coordinated attack exploited this vulnerability, resulting in the theft of approximately $3.1 million from 431 compromised wallets. Subsequently, an additional $2.1 million in USDT was stolen from another exposed wallet, bringing the total confirmed losses to over $5 million.

Coinspect emphasizes that while hardware wallets and most mainstream software wallets remain unaffected, older or lesser-known wallets, particularly those dating back to 2018, are at significant risk. The firm has not disclosed specific affected applications, urging users to verify their wallet security.

To assist users, Coinspect has provided a free online tool at illbloom.org. By entering their public wallet address, users can determine if their recovery phrase is compromised. If a match is found, it is imperative to transfer funds to a new, secure wallet immediately.

Understanding the Vulnerability

Cryptocurrency wallets rely on recovery phrases—typically 12 or 24 words—to secure access. These phrases should be generated with high entropy to ensure unpredictability. However, the affected wallets utilized weak random-number generators, significantly reducing the possible combinations. This flaw allows attackers to systematically derive potential recovery phrases and corresponding wallet addresses, identifying those with accessible funds.

Details of the Exploitation

As of June 30, Coinspect identified 2,114 exposed addresses across multiple blockchains, including Bitcoin, Ethereum, Rootstock, Tron, and Polygon. The May 27 attack predominantly targeted Bitcoin wallets, with losses totaling approximately $2.57 million. Notably, a single Bitcoin address suffered a loss exceeding $1.1 million.

The coordinated nature of the attack was evident as hundreds of unrelated wallets transferred their balances to a few collection addresses within hours. This pattern indicates a systematic exploitation of the ‘Ill Bloom’ vulnerability.

In a subsequent incident, Coinspect detected an exposed wallet containing $2.1 million in USDT. Despite efforts to alert the owner through associated exchanges, the warning did not reach in time, resulting in the loss of funds. This case underscores the persistent risk to wallets with compromised recovery phrases.

Coinspect’s ongoing research suggests that the number of vulnerable wallets may be higher than currently identified. The firm continues to expand its database of compromised seed phrases and advises all cryptocurrency users to proactively assess their wallet security.

The ‘Ill Bloom’ vulnerability highlights the critical importance of secure recovery phrase generation in cryptocurrency wallets. Users are urged to verify their wallet’s security protocols and, if necessary, migrate funds to more secure platforms. This incident serves as a stark reminder of the evolving threats in the digital asset space and the need for continuous vigilance.