Thousands of digital wallets across multiple blockchains are at risk from ‘Ill Bloom‘ vulnerability due to weak recovery phrase generation, Coinspect Security Research disclosed on July 6.
Today we are publishing the first Ill Bloom findings: affected-address checker + on-chain analysis to help users identify exposed addresses and protect their assets.
🔗 https://t.co/U0b4f3jtgz
⚠️ We will never ask for seed phrases, private keys, signatures, or approvals, or ask…
The wallets that Coinspect said are at risk span from BTC, Ethereum, Polygon to Rootstock and Tron. According to the disclosure, Ill Bloom is a wallet-generation issue caused by weak randomness during the recovery phase generation.
“As of 2026-06-30, the analyzed address set contains 2,114 addresses across Bitcoin, Ethereum, Tron, Rootstock, and Polygon, all of which have on-chain activity. The 2026-05-27 sweep drained 431 accounts for approximately $3,140,968. This is an on-going investigation, new affected accounts are continuously being detected,” Coinspect’s research read.
“If your address matches, funds controlled by the same recovery phrase are at risk. The safest remediation is to create a new wallet with a new recovery phrase and migrate your funds to addresses from that new wallet. Updating an app or importing the same recovery phrase into another app does not make your funds safe,” it added.
The vulnerability has affected wallets created as far back as 2018, and more often occurs in lesser-known mobile software wallets. Since May 27, 2026, at least $5 million has been drained from exposed wallets. However, the actual scale of the breach could be significantly larger, as there may have been additional exploits across additional networks and addresses.
Coinspect hasn’t released any details about the active exploit at this time but has published a wallet-checking tool to help users determine whether their addresses have been compromised. Since the attack on May 27, about 431 wallets of the 2,114 vulnerable addresses have been affected, draining a total of $3.14 million in digital currency, while another $2 million moved on July 5.
Caption: Illustration of the aggregated stolen amount per chain. (Source: Coinspect Security Research)“Current evidence tells us that users that generated their seed with a hardware wallet are not affected,” Coinspect said in another blog post. “Further research indicates that most current software wallets are also not vulnerable. The strongest candidates are users who generated their seed in less widely used mobile software wallets.”
Coinspect stated that its investigation is still underway, with additional affected wallet addresses to be identified “through vulnerable seed searches and blockchain analysis.” The firm added that it will share its findings with major stakeholders in the ecosystem to coordinate mitigation efforts.
See the full report here.
Digital wallet breaches throughout the years
Similar issues have surfaced in the blockchain space in recent years.
In 2023, Ledger’s security researchers found that wallet seed phrases created through the Trust Wallet browser extension are vulnerable to brute-force attacks.
The Trust Wallet browser extension is used for Chromium-based browsers. It is branded as a “secure multi-chain crypto wallet and gateway to thousands of Web3 decentralized applications (dApps).”
The extension is closed-source, but its code can be easily analyzed. To steal funds from all users of the Trust Wallet extension, attackers could compute and store potential mnemonics along with the corresponding Ethereum private keys and addresses. They would gather all Ethereum addresses created since the extension’s initial release, perform a lookup in the address database, and, if an address has been used, empty the wallet using the associated private key.
Another hack occurred between 2019 and 2020, over $22 million, or 1,980 BTC, was stolen from the Electrum wallet. The attackers have done so by sending Electrum wallet users a fraudulent message urging them to update their wallets.
“They [the wallet user] eventually end up installing a malicious version of the Electrum wallet, which the next time the user tries to use will ask for a one-time passcode (OTP),” said a ZDNet report.
“Normally, these codes are only requested before sending funds, and not at the Electrum wallet’s startup. If users enter the requested code—and most do, thinking they are using the official wallet—they effectively give official approval for the malicious wallet to transfer all of their funds to an attacker’s account.”
Watch: Can Blockchain Recover Stolen Crypto? BSV Says Yes
“Normally, these codes are only requested before sending funds, and not at the Electrum wallet’s startup. If users enter the req
















English (US) ·