Ill Bloom Flaw Exposes Crypto Wallets: Millions Lost to Weak Seed Phrases
The Silent Risk in Your Crypto Wallet
Many people hold cryptocurrency in self-custody wallets. These wallets rely on a recovery phrase made of 12 or 24 words. A new flaw called
What Happened in the Attack
Attackers used the flaw to drain about <3.1 million dollars> from 431 wallets in one day. More than 2 million dollars moved from other exposed wallets after that. The total taken or moved since the main sweep passed 5 million dollars. Bitcoin wallets suffered the biggest losses, with one address losing over 1.1 million dollars alone.
The attackers sent funds from hundreds of wallets to the same collection addresses in a short time. This showed it was one planned operation, not random thefts.
How the Weak Randomness Worked
Wallet software must pick words from a huge list at random. Good software uses strong random number tools so the chance of guessing is almost zero. The affected wallets used weak tools instead. This cut the possible phrases down to a small set an attacker could check one by one.
Researchers rebuilt the full list of weak phrases, turned them into wallet addresses, and checked the blockchain for any that still held money. They found 2,114 exposed addresses across Bitcoin, Ethereum, Tron, Polygon, and other chains.
Who Is at Risk
Most users are safe. Hardware wallets and big-name software wallets were not affected. The problem sits with some older or little-known mobile apps, some dating back to 2018. Wallets made on hardware devices stay safe because they use better random tools.
One weak phrase can control money on every chain it supports. Users should check every address tied to the same phrase.
How to Check Your Wallet
A free online tool lets anyone paste a public address and see if it matches the known weak list. If it matches, treat the recovery phrase as broken and move the money right away.
Never enter your recovery phrase or private key on any website. Real checks never ask for secrets. Scammers often appear after news like this and offer fake help to steal more funds.
The Fix and Future Protection
The only real fix is to create a new wallet with strong software and move the funds. Importing the old phrase into new software keeps the same weak keys. Hardware wallets are the safest choice for large amounts because they generate fresh phrases on the device itself.
This is not the first time weak random numbers caused big losses. Similar problems hit other tools in past years and drained millions before users moved their money. The pattern repeats every few years when old wallet code is found to have used poor random choices.
Why This Matters for Crypto Users
Self-custody gives full control but also full responsibility. A single weak spot in how the wallet was made years ago can still empty the account today. Checking addresses and moving funds when needed keeps users ahead of these hidden flaws.
Always create new wallets with trusted, up-to-date software. Store the new recovery phrase offline and never share it. Regular checks of public addresses against known weak lists add another layer of safety.