Coinspect has flagged “Ill Bloom,” a weak-randomness vulnerability that could expose thousands of cryptocurrency wallets across several major blockchains, turning a routine recovery phrase into a potential drain vector. The security firm said the issue affects wallets on Bitcoin, Ethereum, Polygon, Rootstock, Tron and Solana, and is tied to insecure pseudorandom number generation during seed creation in certain software wallets. That sounds obscure, yet the consequence is brutally practical: weak recovery phrases can become weak ownership claims, especially when attackers can narrow the search space. Coinspect said at least $5 million has already been drained.
Hundreds of accounts were drained of ~$3M on May 27, 2026. In the last few hours, another ~$2M was moved from exposed wallets.
Thousands of accounts remain at risk across Bitcoin, Ethereum + L2s, Tron, and Solana.
— Coinspect Security (@coinspect) July 6, 2026
The risk appears concentrated in wallets generated as early as 2018, with lesser-known mobile software wallets described as the strongest candidates. Coinspect said it is not publishing full active-exploit details for now, a restraint that signals the threat is not merely theoretical. Instead, it released a wallet-checking tool so users can see whether an address may be exposed. The firm also warned that if funds recently moved without permission, Ill Bloom may be the reason. The disclosure is being handled as containment, not simply postmortem research, because revealing too much could help attackers.

The numbers make the warning harder to shrug off. Data from the investigation shows that a May 27 attack hit 431 wallets out of 2,114 vulnerable wallets, draining $3.1 million in cryptocurrency. Another $2 million later moved from exposed wallets on Sunday, bringing known losses above $5 million. Coinspect also cautioned that additional networks and addresses may have been exploited, meaning the visible wallet set may understate the real exposure. The known victim count may only be a floor, which leaves users and security teams working with incomplete visibility.
We're closely monitoring the Ill Bloom wallet weak randomness risk alert from @coinspect .
Please check whether any of your historical wallet addresses are affected
https://t.co/cTRltZCfyB
Thanks to @coinspect for the responsible disclosure. Stay safe! https://t.co/cC6OTxqvpX
— SlowMist (@SlowMist_Team) July 6, 2026
There is one important boundary in the alert. Coinspect said current evidence indicates users who generated their seed with a hardware wallet are not affected, and most current software wallets also appear not to be vulnerable. Still, the episode fits a recurring pattern in crypto security: randomness failures can quietly undermine everything built on top of them. Prior weak-seed incidents hit Trust Wallet’s browser extension and Libbitcoin Explorer, showing how entropy flaws can become brute-force opportunities. The real lesson is seed generation discipline, because custody security can fail before assets ever reach a blockchain or users realize backups were compromised at all.