Ill Bloom Vulnerability Exploited To Steal More Than $5 Million From Cryptocurrency Wallets

Ill Bloom Vulnerability Exploited To Steal More Than $5 Million From Cryptocurrency Wallets

Security firm Coinspect has disclosed a cryptocurrency wallet vulnerability known as Ill Bloom that has already been exploited by attackers to steal more than $5 million from digital wallets. The flaw affects the way certain wallet applications generated recovery phrases, also known as seed phrases, which are used to restore and control access to cryptocurrency funds. According to the researchers, the issue stems from weak randomness during the creation of these recovery phrases, making it possible for attackers to predict them and gain access to associated wallets. Coinspect confirmed that a coordinated operation on May 27 drained approximately $3.1 million from 431 cryptocurrency wallets. A subsequent theft involving an exposed wallet resulted in the loss of another $2.1 million in USDT, pushing confirmed losses beyond the $5 million mark.

The company stated that most users are unlikely to be affected because hardware wallets and many mainstream software wallets do not suffer from the vulnerability. The primary risk lies with certain older and lesser known wallet applications, including mobile applications and browser extensions dating back to 2018. Coinspect has not publicly identified the affected applications and instead launched a free online checker that allows users to determine whether their wallet addresses are exposed. Researchers warned that if funds have recently been transferred from a wallet without authorization, the Ill Bloom vulnerability may be the reason. Every self custody wallet begins with a recovery phrase consisting of 12 or 24 words selected from an extremely large pool of possible combinations. In the affected wallets, however, the software relied on a weak random number generator, significantly reducing the number of possible phrases and making them susceptible to brute force discovery.

Coinspect said it reconstructed the attack process and generated the set of recovery phrases that could have been produced by the vulnerable software. The company then derived wallet addresses associated with those phrases and compared them with public blockchain records to identify wallets that still contained funds. As of June 30, researchers had traced 2,114 exposed addresses across multiple blockchain networks, including Bitcoin, Ethereum, Rootstock, Tron, and Polygon. The coordinated theft on May 27 was identified through blockchain analysis, which showed hundreds of unrelated wallets transferring their balances to the same collection addresses within a short period. Bitcoin accounted for the majority of losses, with approximately $2.57 million stolen, including more than $1.1 million taken from a single address. Researchers also revealed that one of the later thefts involved a wallet owner whose compromised seed phrase had already been exposed but whose assets remained on another blockchain network. Despite efforts to warn the owner through exchanges connected to the address, the funds were stolen before protective action could be taken.

Coinspect described the known losses as only the minimum confirmed impact and said the number of exposed wallets continues to grow as additional vulnerable seed generation paths are identified. Researchers noted that at the peak of the cryptocurrency market in 2022, the same set of exposed wallets held assets worth approximately $12.56 million. The company urged users to immediately create a completely new wallet with a fresh recovery phrase if their addresses match the exposed list and transfer all funds to the new wallet. Reinstalling an application or importing the same recovery phrase into another wallet does not resolve the problem because the compromised seed remains vulnerable. The company also warned users to avoid websites or individuals offering to recover stolen funds in exchange for recovery phrases or private keys, emphasizing that legitimate security services will never request sensitive credentials. Coinspect has so far identified five vulnerable wallet implementations through blockchain analysis, code reviews, and reverse engineering of applications, although the names of the affected products have not yet been disclosed and researchers believe additional vulnerable wallets may still exist.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment