Coinspect disclosed a critical vulnerability in cryptocurrency wallet software that attackers are actively exploiting to steal funds. The flaw, dubbed "Ill Bloom," centers on how certain wallet applications generate recovery phrases, the cryptographic seeds that control access to stored cryptocurrency.

Recovery phrases typically consist of 12 or 24 words selected from a standardized dictionary. These words must be generated using strong cryptographic randomness to ensure security. The Ill Bloom vulnerability occurs when wallet software fails to use proper randomness during phrase generation, allowing attackers to mathematically derive valid recovery phrases with minimal computational effort.

Once an attacker obtains a valid recovery phrase, they gain complete control over the wallet and can transfer all cryptocurrency holdings to their own accounts. This circumvents traditional security measures like two-factor authentication, as the recovery phrase itself represents absolute ownership of the funds.

Coinspect confirmed that attackers deployed this vulnerability in a coordinated campaign on May 27, draining over $5 million from multiple cryptocurrency wallets in a single sweep. The attack demonstrates that the flaw had entered active exploitation before public disclosure occurred.

The vulnerability affects cryptocurrency wallet software that implements weak randomness in phrase generation. Users relying on affected wallets face direct theft risk regardless of their own security practices. The specific wallet software vendors and affected versions have not been detailed in initial disclosures, though Coinspect likely coordinated responsible disclosure with affected parties.

Organizations and individuals using cryptocurrency wallets should verify that their wallet software uses cryptographically secure randomness during key generation. Users of potentially affected wallets should consider transferring funds to alternative wallets with verified secure implementations. This incident reinforces that wallet security depends entirely on proper cryptographic practices during setup, not just on user behavior after creation.