Coinspect has disclosed Ill Bloom, an actively exploited crypto-wallet generation flaw that made some recovery phrases easier to guess than they should be. In one analyzed address set, a coordinated sweep on May 27, 2026 drained 431 accounts of about $3.14 million. The practical response is unusual: check only a public wallet address, never submit a seed phrase, and move funds to a newly generated wallet if the address matches.
Ill Bloom is not a malicious token approval or a fake recovery form. Coinspect traced it to weak randomness in the process that created certain 12-word recovery phrases. Importing the same weak phrase into another app does not repair it because the phrase still controls the same keys.
Who may be affected by Ill Bloom
The affected wallet apps have not all been publicly identified. A blockchain address does not reveal which app generated its seed, so naming a wallet without evidence would be misleading. Coinspect says the strongest candidates are people who created a seed in a less widely used mobile software wallet. Hardware-wallet-generated seeds are not affected by the weakness described in the current disclosure, and most current software wallets are not believed to be vulnerable.
The June 30 analysis measured 2,114 active addresses across Bitcoin, Ethereum, Tron, Rootstock, and Polygon. A vulnerable seed can control addresses on many chains, so checking only the chain where theft appeared may miss other assets. Coinspect’s checker currently accepts full EVM, Bitcoin, Tron, and Solana public addresses.
| Situation | Risk and next decision |
|---|---|
| Seed created by a hardware wallet | The current Ill Bloom evidence says these seeds are not affected. Keep following normal device and backup safety practices. |
| Seed created in a lesser-known mobile wallet | Higher-priority check. Enter only public addresses in the Coinspect checker and review every chain controlled by that seed. |
| Address replaced before a transfer | This points more strongly to clipboard malware or a crypto clipper, not Ill Bloom. Stop using the device and compare the receiving address on a clean screen. |
| Wallet connected to an airdrop or claim page | Review token approvals and signatures. That is the usual crypto-drainer path, which is different from a weak seed created at wallet setup. |
| Funds moved without a signature, seed leak, or suspicious site | Ill Bloom becomes one plausible explanation, especially for an older mobile-wallet seed. Check the public addresses and preserve transaction evidence. |
How to check an address safely
- Open the exact research site: type
illbloom.orgyourself or follow the primary reference at the end of this article. Avoid ads, direct messages, and lookalike “support” pages. - Paste only a public address. A public address is meant to receive funds and can be viewed on a blockchain explorer. It is not a seed phrase, private key, password, backup file, or wallet export.
- Check each relevant chain and account. One seed can derive several addresses across several networks. A match on any address means the seed should be treated as compromised.
- Do not connect the wallet or sign anything. Coinspect’s checker performs a local lookup and does not need a wallet connection, token approval, recovery phrase, or transaction signature.

A clone that asks for 12 or 24 words is not performing the published Ill Bloom check. Close it immediately. For broader storage choices and seed-backup risks, see the hot wallet vs cold wallet security guide.
What to do if an address matches
- Create a completely new wallet with a new recovery phrase. Use a reputable current wallet or hardware wallet on a clean device. Confirm that setup displays a different set of 12 or 24 words.
- Do not import the old phrase. Restoring the old seed in a different app recreates the vulnerable keys and addresses.
- Move assets controlled by the seed. Inventory Bitcoin, EVM networks, Tron, Solana, and any other chains you used. Transfer to addresses derived from the new seed.
- Use a small test transaction first. Verify the new receiving address on a second trusted screen, send a small amount, confirm it arrived, and then transfer the remainder.
- Retire the old seed. Do not keep using it for an “empty” account, a secondary chain, staking, NFTs, or future deposits. An attacker who can derive the keys may monitor it indefinitely.
Updating wallet software can prevent future weak seed generation, but it cannot strengthen a recovery phrase that already exists. The security boundary changes only when the funds move to keys derived from a new, securely generated seed.
If funds already moved
Save the affected public addresses, transaction hashes, dates, amounts, destination addresses, wallet-app name and version, and the device on which the seed was originally created. Report the theft to the wallet vendor, relevant exchange or stablecoin issuer when identifiable, and the appropriate law-enforcement or cybercrime channel. Do not publish the seed phrase as “proof.”
Blockchain transfers usually cannot be reversed. Anyone who contacts you promising guaranteed recovery, private-key “validation,” or a special tracing fee may be targeting victims a second time. Review the warning signs in the crypto recovery scam guide before paying a recovery service.
What a negative checker result means
A negative result does not certify that the wallet is safe. It only means the public address was not present in the current Ill Bloom address sets. The dataset is not exhaustive, and the methodology covers selected seed types, derivation paths, and networks. Continue investigating malware, malicious approvals, copied-address replacement, phishing, exposed backups, and compromised exchange accounts when unexplained transfers occurred.
References
- Coinspect. “Ill Bloom: Crypto Wallet Vulnerability.” Coinspect Security Research, July 2026, accessed July 10, 2026. Ill Bloom disclosure and public-address checker.
- Coinspect. “Ill Bloom: Wallet Drain Analysis (July 2026).” Coinspect Security Research, snapshot dated June 30, 2026, accessed July 10, 2026. on-chain drain analysis.
- Coinspect. “Ill Bloom: Dataset Construction Methodology.” Coinspect Security Research, July 2026, accessed July 10, 2026. address-set methodology.

