Logo Daily Crypto Briefs
Open menu

Ill Bloom Wallet Bug Drains $5M From Crypto Users

7 min read
Breaking News
Greyscale crypto hardware wallet, recovery phrase card and security dashboard on teal, red and off-white editorial panels for the Ill Bloom wallet vulnerability.

TL;DR

  • Coinspect disclosed Ill Bloom, an actively exploited wallet-generation vulnerability tied to weak recovery phrase randomness.
  • Secondary reports citing Coinspect said at least $5 million has moved from exposed wallets since May 27, including about $3.1 million from 431 wallets in one reviewed set.
  • The issue spans Bitcoin, Ethereum, Polygon, Rootstock, Tron and Solana address sets, but Coinspect said hardware-wallet-generated seeds appear unaffected based on current evidence.
  • Coinspect released an address checker and warned that importing the same weak recovery phrase into another app does not fix the risk.

CASABLANCA, July 6, 2026

Coinspect disclosed Ill Bloom, an actively exploited wallet-generation vulnerability tied to weak recovery phrases, after reports said at least $5 million had moved from exposed crypto wallets across Bitcoin, Ethereum, Solana and other chains.

The security firm said the issue affects a limited set of wallet addresses created under specific conditions, but the warning carries wider urgency because a weak seed can follow a user across apps, chains and future deposits. Coinspect released an address checker and told users never to enter a recovery phrase, private key, password or backup file into it.

Market context remained fragile as the warning spread. CoinGecko data checked by Daily Crypto Briefs showed Bitcoin near $62,895, up 0.39% over 24 hours, with about $1.26 trillion in market value and $22.16 billion in 24-hour volume. Ethereum traded near $1,770 and Solana near $80.77.

Coinspect said in its weak-seed explainer that recovery phrases are “permanent secrets” and warned that moving the same phrase into another wallet app does not make the original seed stronger. The firm said the safe path, once weak seed generation is suspected, is to create a new wallet with secure randomness and move funds to addresses controlled by the new phrase.

The disclosure follows a May 27 drain that secondary reports, citing Coinspect’s analysis, said affected 431 wallets out of 2,114 vulnerable wallets in one reviewed address set and removed about $3.1 million. Those reports said another $2 million moved from exposed wallets on Sunday, bringing the known amount moved from exposed wallets to about $5 million.

The immediate risk is not that every wallet is broken. It is that a small class of weakly generated recovery phrases may still control funded addresses, including on chains where the owner has not checked activity recently.

Bitcoin

BTC
June 6 to July 6, 2026
$62,901
+3.2%
Jun 6 - Jul 6 | High $65,714 Low $58,551

Ill Bloom Weak Seeds Hit Six Chains

The Ill Bloom checker says the vulnerability involves weak recovery phrases and lets users test public wallet addresses against a current dataset of known vulnerable funded addresses. It supports EVM, Bitcoin, Tron and Solana address formats, according to the page.

Coinspect’s disclosure says the team reproduced the attack end to end, identified the root cause, generated addresses that vulnerable recovery phrases could produce and checked which ones still had funds using on-chain data. The company said it is withholding specific technical details while investigation and coordinated disclosure continue.

The affected scope is multi-chain because a weak seed can derive different addresses on different networks. Reports citing Coinspect named Bitcoin, Ethereum, Polygon, Rootstock, Tron and Solana. That breadth gives the incident a different profile from a single smart-contract bug, where the affected contracts and funds are usually easier to fence off.

The company said the earliest known exploitation it identified dates to May 27, 2026, while earlier exploitation may exist. Coinspect also said vulnerable wallets were still being generated in recent weeks, although it has not publicly named every affected wallet app.

That limitation is deliberate but uncomfortable for users. Coinspect said a public address does not reveal which wallet originally generated the recovery phrase behind it. If a matching address appears in the checker, the firm asks affected users to share which wallet generated the phrase so vendors can be notified.

Daily Crypto Briefs has covered wallet risk in several forms, from a claimed $60 million Trezor recovery case to the SecondFi Cardano wallet exploit. Ill Bloom is different because the weakness may sit at the seed-generation layer rather than at the user interface or a single chain’s application logic.

Hardware Wallet Seeds Appear Unaffected

Coinspect’s official FAQ says current evidence indicates users who generated their seed with a hardware wallet are not affected. It also says most current software wallets do not appear vulnerable based on available research.

The highest-risk profile is narrower: users who created recovery phrases in less widely used mobile software wallets, especially older or obscure apps whose randomness behavior may not have been audited under the same scrutiny as mainstream wallets.

That does not mean users can ignore a negative checker result. Coinspect says a negative result only means the address was not found in the current dataset and does not prove that a seed is safe. The dataset may be incomplete.

The operational advice is also specific. If an address matches, users should treat the seed as compromised, create a new wallet with a new recovery phrase and migrate funds to addresses from that new phrase. Updating an app, restoring the same phrase somewhere else or importing it into hardware does not change the entropy of the original seed.

This is where wallet security becomes harder than ordinary phishing defense. A phishing site usually needs a recent signature, approval or phrase theft. A weak seed can be vulnerable from the moment it is created, even if the user never clicks a malicious link.

That distinction should shape how users read old wallet balances. A dormant address may look untouched until an attacker finishes scanning weak seed space or links the same weak phrase to another funded chain. Coinspect’s warning that compromise may not appear everywhere at once is the practical point for multi-chain holders.

Coinspect’s developer guidance says the response should not stop at patching current software. Wallet teams need historical analysis to determine whether older versions may have created recovery phrases with insufficient secure entropy.

That is a more difficult task than shipping an app update. Developers must review old randomness paths, possible fallbacks, environment-specific behavior and wrappers around random generation. Coinspect said randomness failures should be treated as fatal rather than falling back to non-cryptographic randomness.

The incident also creates a disclosure tradeoff. Publishing full technical details too early could help attackers reproduce the weak seed space faster, but withholding details leaves users dependent on checker coverage, wallet-provider alerts and public updates from Coinspect.

The broader security backdrop is already tense. Daily Crypto Briefs recently covered TRM Labs’ record 207 crypto hacks in the first half of 2026, and a patched Aptos Move VM flaw that showed how quickly a technical vulnerability can become a market-confidence issue.

Market sentiment remains defensive. Alternative.me showed the Crypto Fear and Greed Index at 24, or Extreme Fear, on July 6.

Fear & Greed Index

July 6, 2026
24 Extreme Fear

The next checkpoints are Coinspect’s technical follow-up, whether wallet providers identify affected versions, whether SlowMist or other security firms publish independent tracing, and whether the known $5 million figure rises as more chains and addresses are reviewed. Until then, the confirmed user action is narrow: check public addresses through the official disclosure, never expose a seed phrase, and treat any matching seed as a live compromise rather than a software-update problem.

Stay up to date

Get the latest crypto insights delivered to your inbox

Fact-checked by: Daily Crypto Briefs Fact-Check Desk

Frequently Asked Questions

What is the Ill Bloom wallet vulnerability?

Ill Bloom is Coinspect's name for an actively exploited wallet-generation vulnerability tied to weak randomness during recovery phrase creation.

How much crypto has been stolen through Ill Bloom?

Reports citing Coinspect said at least $5 million has moved from exposed wallets since May 27, 2026, though Coinspect says the full exposure may be incomplete.

Which blockchains are affected by Ill Bloom?

Coinspect-linked reporting identified affected address sets across Bitcoin, Ethereum, Polygon, Rootstock, Tron and Solana.

Are hardware wallets affected by Ill Bloom?

Coinspect says current evidence indicates users who generated their seed with a hardware wallet are not affected, while lesser-known mobile software wallets appear to be stronger candidates.

Does moving the same seed phrase to another wallet fix Ill Bloom risk?

No. Coinspect says importing the same recovery phrase into another app or hardware wallet does not change how the original seed was generated.