Some Wallets Have Been Guessable Since 2018, and Someone Finally Started Guessing
A recovery phrase is supposed to be one of trillions of trillions of possibilities. Some software wallets built theirs with a broken random number generator, quietly making them guessable. On May 27, 2026, someone guessed 431 of them at once and drained $3.14 million. The wallets had been sitting ducks since 2018.

When you create a self-custody wallet, it hands you a recovery phrase - 12 to 24 words that are the master key to everything inside. The entire security model rests on one assumption: those words are chosen with enough randomness that no one could ever guess them. The number of possible phrases is astronomically large. Guessing one is supposed to be impossible.
Supposed to be. On July 6, 2026, the security firm Coinspect disclosed a flaw it named Ill Bloom, and the flaw is exactly this: some software wallets did not use enough randomness. So the words were not chosen from an unimaginably large space. They were chosen from a small enough one that a determined attacker could work through the possibilities and find them.
The technical failure has a precise name. Generating a seed phrase safely requires a CSPRNG, a cryptographically secure pseudorandom number generator, one built to be unpredictable even to someone who studies its output. Some wallets used a plain PRNG instead, an ordinary random number generator that looks random to a human but follows a pattern a cryptographer can unwind. It appeared to work. Wallets generated. Phrases displayed. Funds stored. Everything looked normal. The weakness was invisible, sitting silently under the hood, for years.
Then someone found it, and they did not do it quietly.
On May 27, 2026, in a single coordinated sweep, an attacker drained 431 wallets at once. Total haul: about $3,140,968. Bitcoin took the worst of it, roughly $2.57 million, and one single Bitcoin wallet alone gave up more than $1.1 million. This was not a phishing campaign or a stolen key. The attacker simply computed the seed phrases and walked in the front door of hundreds of wallets simultaneously, because every one of them had a lock that could be picked from a list. By early July, follow-on transfers pushed the confirmed total past $5 million, and Coinspect warned the real number is almost certainly higher.
The scope is the scary part. Coinspect's analysis of just one monitored set of addresses found 2,114 vulnerable wallets with on-chain activity, spread across Bitcoin, Ethereum, Tron, Rootstock, and Polygon. And the first-funding dates on those wallets stretch back to September 2018. That means people have been holding funds in guessable wallets for up to eight years, with no idea, no warning, and no way to know. Worse, Coinspect found vulnerable wallets that were still being created in the weeks before the May drain, so this was not one old app with one old bug. The firm has identified at least five separate vulnerable wallet implementations, traced through on-chain funding links, GitHub code searches, and by reverse-engineering closed-source Android apps and Chrome extensions. It is deliberately not naming them yet, to avoid pointing attackers at wallets that have not been drained.
There is a bounded piece of good news. Coinspect says seeds generated on hardware wallets appear unaffected, and most mainstream software wallets are not vulnerable either. The risk is concentrated in lesser-known mobile wallets and browser extensions - the exact category a lot of people trusted precisely because "not your keys, not your coins" pushed them toward self-custody. Coinspect published a checker at illbloom.org where you can test a public address against its list of known-vulnerable wallets. A match is a clear warning. A clean result is not a guarantee, because the list is incomplete.
Here is the uncomfortable truth Ill Bloom exposes, and it is bigger than one bug. Every self-custody user is trusting a piece of cryptographic plumbing they cannot see, cannot inspect, and have no way to verify. You generate a phrase, you write it down, you trust it is random. You have no tool to confirm it. And this is not the first time that trust has been betrayed by the same exact failure. Milk Sad in 2023 did this. A Trust Wallet browser extension flaw the same year did this. Now Ill Bloom in 2026. Three times, the identical structural mistake: a random number generator that appeared to work was used where a cryptographically secure one was required, and users had no way to know until the money left.
If your seed came from a hardware wallet or a major software wallet, you are almost certainly fine. If it came from some obscure mobile app you downloaded years ago, the honest advice is blunt: treat that phrase as compromised even if the money has not moved yet, generate a fresh wallet with a fresh phrase, and move everything. The funds that are still sitting in those wallets are not safe. They are just waiting.
The Aftermath
Coinspect continued to monitor the ongoing exploitation and expand its list of vulnerable addresses, warning that confirmed losses of ~$5 million likely understate the true scale across unmonitored networks. It withheld the names of the five-plus affected wallet implementations to avoid directing attackers to undrained targets while mitigation was underway. The firm advised anyone who may have used an affected wallet to treat the seed phrase as compromised, generate a brand-new wallet, and move funds immediately, since exposed wallets remain drainable at any time. Ill Bloom joined Milk Sad (2023) and a 2023 Trust Wallet browser-extension flaw as the third major documented case of the same underlying failure - an insecure random number generator used where a cryptographically secure one was required.
COMMENTS