
SecondFi hack exposed a wallet key flaw that drained 16M ADA. Explore the exploit, user impact, EMURGO’s recovery plan, and what comes next.
Author: Kritika Gupta
14th July 2026- EMURGO has handed the Cardano Token2049 event to the Cardano Foundation to focus fully on recovery. The company confirmed the move. Its sole priority now is the SecondFi hack and returning assets to affected users.
High Signal Summary For A Quick Glance
Tam Nguyen
@BTC_LTC_XRP
@Cardano_CF MURGO stepping back is not the headline. The real headline is that Cardano’s governance system responded, reassigned responsibility, and kept TOKEN2049 moving forward. Resilience matters. 🔥
We confirm that our teams are taking over the responsibilities for Token2049 and have agreed to deliver the Cardano booth at Token2049 as voted on by DReps and as described in the governance action metadata. In addition to the Cardano booth, we are also organizing the side event https://t.co/UlNcqlUcqU
10:05 AM·Jul 14, 2026
TNT
@AlbertoSal69844
@Cardano_CF I'm involved with Cardano because I believe in Charles Hoskinson's honesty and vision. However, I don't understand the veiled criticism of the Cardano Foundation. The Cardano Foundation is always taking the right and committed steps. I hope the public criticism ends for good.
We confirm that our teams are taking over the responsibilities for Token2049 and have agreed to deliver the Cardano booth at Token2049 as voted on by DReps and as described in the governance action metadata. In addition to the Cardano booth, we are also organizing the side event https://t.co/UlNcqlUcqU
10:03 AM·Jul 14, 2026
izael.snek.ada
@izaelnathanael
@emurgo_io @IntersectMBO @Cardano_CF This gives us confidence that both EMURGO and SecondFi are fully committed to helping the users affected by this incident. We remain patient and hopeful as we await further progress and positive updates from both teams. If every affected user is ultimately able to recover their
Following the recent SecondFi incident, we have confirmed that our priority right now must be solely the recovery of assets for all affected users. Together with our colleagues at @IntersectMBO and the @Cardano_CF, we have agreed that the best way to ensure a successful https://t.co/YtvZcAuHTu
10:00 AM·Jul 14, 2026
Don Digital Finance
@niroshan682
@Cardano_CF Strong leadership is tested during difficult moments. Glad to see the community and Foundation working together to keep things moving while supporting affected users.
We confirm that our teams are taking over the responsibilities for Token2049 and have agreed to deliver the Cardano booth at Token2049 as voted on by DReps and as described in the governance action metadata. In addition to the Cardano booth, we are also organizing the side event https://t.co/9Q1qwnRVQJ
09:39 AM·Jul 14, 2026
Steady attention without excessive speculation.
The decision caps three weeks of fallout from a wallet exploit that shook Cardano holders. SecondFi is the self-custody wallet formerly known as Yoroi. Crucially, the flaw sat in the wallet software, not in the Cardano blockchain itself.
First, the important part. The SecondFi hack was not a Cardano protocol failure. It was also not a smart contract or Plutus exploit.
Instead, the root cause was a weak randomness flaw in SecondFi’s own key generation. According to CryptoBriefing, the software used a deterministic nonce during signing. As a result, attackers could rebuild a private key from public on-chain data.
The trigger was simple. Once an affected address signed any transaction, its signature leaked enough math to reconstruct the key. Then the attackers could move the funds at will.
In short, this was classic private key compromise. It came from flawed wallet code, not phishing or device malware. Notably, Cardano’s eUTXO ledger and script rules were never touched.
The confirmed theft is significant. According to SecondFi’s June 24 disclosure, attackers drained about 16 million ADA. That was worth roughly $2.4 million at the time.
Moreover, the drain hit 374 addresses across three distinct events. The attacks landed mostly between June 21 and June 23, 2026. Wave 1 started first, and Wave 2 followed two days later.
The scope may be larger, however. On-chain analysts at Bitquery tracked about 141.9 million ADA in total movement across roughly 3,072 wallets. Attacker addresses also held large NIGHT and SNEK token balances.
Total movement is not the same as total theft, though. Because of that gap, security firm SlowMist put potential user losses above $20 million. Still, that figure remains an estimate pending a full audit.
One number stands out from the rest. Beyond the confirmed theft, roughly 129 million ADA moved during the incident. SecondFi says its team secured those funds through emergency measures.
According to the company, that ADA was routed toward a third-party custodian for affected users. In addition, an external accounting firm was engaged to verify the totals. Bitquery data shows the bulk sitting in a dormant vault since June 23.
Independent confirmation of the custodian transfer is still thin, however. For that reason, the “secured” label deserves caution for now. Meanwhile, the community keeps asking how a self-custody provider moved that much ADA without user signatures.
Recovery odds also split sharply by wave. Wave 1 funds, about 12.3 million ADA, were largely dispersed through Minswap V2. As a result, analysts consider those funds unlikely to return.
Key milestones in the SecondFi incident and recovery process
EMURGO introduces SecondFi as a self-custody neofinance platform. No prominent independent wallet audit was publicly disclosed before the incident.
Attackers exploit a wallet cryptography flaw and drain approximately 16 million ADA from 374 affected addresses.
SecondFi and EMURGO disclose the exploit, patch unaffected wallets, open a claims process and issue urgent migration guidance.
EMURGO confirms that SecondFi will not reopen and assigns a dedicated team to asset recovery, wallet checks and secure migration.
EMURGO states that returning assets to affected users will take priority over its other SecondFi-related commitments.
EMURGO, Intersect and the Cardano Foundation agree to transfer Token2049 delivery to the Foundation while EMURGO focuses on recovery.
EMURGO must complete audits, verify affected balances, deploy its recovery system and begin returning assets. No final reimbursement deadline has been announced.
This point matters most for users. Because the flaw lives in the key itself, moving the wallet does not fix it. So restoring a recovery phrase into a new wallet does not remove the risk.
SecondFi was blunt about it. In its disclosure, the team wrote: “The security risk occurs when an affected user signs a transaction. Therefore recovery to another platform or wallet does not mitigate the risk.”
The team added a direct warning in the same thread. “DO NOT restore your recovery phrase into a new Cardano wallet,” it said. Instead, affected users should use the official status checker and follow the migration guidance.
EMURGO has since pushed hardware wallets as the safer path. Notably, a patch already protects newly generated wallets from the flaw.
The response escalated quickly through early July. On July 6, EMURGO confirmed that SecondFi would not reopen. The Defiant and crypto.news both reported the shutdown of normal operations.
EMURGO framed the choice plainly. “SecondFi will not resume normal operations, even after the audits are complete,” it wrote in its July 6 update. Going forward, its role is limited to a dedicated asset recovery team.
That team has a narrow mandate. Specifically, it must return assets to affected users. In addition, EMURGO is building a wallet status checker, secure migration tools, and an auditable on-chain recovery system.
Each recovery tool still needs an external audit, though. Because of that, EMURGO has not promised firm return dates. So affected users face more waiting before any payout arrives.
The July 14 handover follows directly from that focus. EMURGO agreed with IntersectMBO and the Cardano Foundation to shift the event. As a result, the Foundation will now deliver Token2049 for the community.
Intersect confirmed the reasoning in its own post. “EMURGO has recently been focused on managing the SecondFi incident,” it said. Consequently, EMURGO could not spare the resources to run the event.
The wider damage still looks contained, thankfully. Cardano DeFi total value locked actually rose during the same window. It climbed from about 523 million ADA on June 19 to 586 million ADA by June 26, per DefiLlama. Because the flaw was isolated to one wallet, the broader network avoided a systemic hit.
The next milestones are clear, at least. Watch for the recovery tools, the audit results, and the first user reimbursements. Until then, affected holders should treat every SecondFi-generated address as unsafe to sign from.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
EMURGO Confirms SecondFi Hack Leading Cardano Asset-Recovery Push
Robinhood Chain Scam Tokens Vanish From Buyer Wallets
BonkDAO Governance Attack Drains $20M in BONK From Treasury
Report Says Collector Crypt Bot Revenue Drives $62M Figure
EMURGO Confirms SecondFi Hack Leading Cardano Asset-Recovery Push
Robinhood Chain Scam Tokens Vanish From Buyer Wallets
BonkDAO Governance Attack Drains $20M in BONK From Treasury
Report Says Collector Crypt Bot Revenue Drives $62M Figure