The Core Vulnerability
A security flaw in certain cryptocurrency wallet applications, dubbed “Ill Bloom,” has allowed attackers to drain more than $5 million from user wallets. The vulnerability, disclosed by security firm Coinspect, stems from weak randomness in the software used to generate recovery phrases. These phrases, typically 12 or 24 words, are supposed to be chosen from a pool so vast that guessing them is practically impossible. However, the affected wallets used a predictable random number generator, drastically shrinking the number of possible phrases. This allowed an attacker to systematically generate all possible phrases, derive the corresponding wallet addresses, and check blockchain records for wallets holding funds.
Impact and Scale of Thefts
Coinspect confirmed a coordinated attack on May 27 that siphoned approximately $3.1 million from 431 wallets. A subsequent theft in June added another $2.1 million in USDT from an exposed wallet, pushing total confirmed losses past $5 million. Bitcoin accounts for the largest share, with one address alone losing over $1.1 million. As of June 30, researchers had identified 2,114 exposed addresses across Bitcoin, Ethereum, Tron, Polygon, and Rootstock. The researchers characterize the losses as a minimum, stating the list of vulnerable wallets continues to grow as they discover more weak seed generation paths. At the market’s peak in 2022, the same set of vulnerable wallets held a reconstructed value of $12.56 million.
What Users Should Do
Coinspect has released a free checking tool at illbloom.org. Users can paste their public wallet address to see if it appears on the list of known vulnerable wallets. A match means the recovery phrase is compromised and funds are at risk, even if they have not yet been stolen. The recommended action is to create a completely new wallet with a freshly generated phrase and move all funds immediately. The researchers warn against importing the old phrase into a new app, as that merely recreates the same weak wallet. They also caution users to beware of scammers who may offer to “rescue” funds in exchange for a recovery phrase or private key. A hardware wallet is considered the safest destination for transferred funds, but users must generate a new phrase on the device rather than importing the compromised one.
Source: The Hacker News
