SecondFi Wallet Exploit Drains 16 Million ADA From Users

SecondFi confirms flaw in wallet generation software

SecondFi confirmed that the security incident originated from its native Cardano web wallet generation software rather than from the underlying Cardano blockchain.

In an official update, the company stated that it had isolated the root cause and determined that the vulnerability was confined to wallet creation software used by its web application. The platform later revealed that four separate draining events had occurred, with three external threat actors successfully stealing approximately 16 million ADA from 374 affected addresses.

The exploit also resulted in the theft of additional tokens and NFTs stored within compromised wallets. The incident affected hundreds of self-custody wallets, prompting SecondFi to enter maintenance mode as its team deployed emergency measures to secure the remaining user assets.

SecondFi warned users not to restore affected recovery phrases into other wallets, noting that the risk exists at the address level and may be triggered when users sign transactions.

Background: SecondFi evolved from Yoroi earlier this year

The platform previously operated as Yoroi, one of Cardano’s most widely used light wallets developed by EMURGO.

In April 2026, EMURGO announced that Yoroi would evolve into SecondFi, expanding beyond traditional wallet functionality into a broader self-custody financial platform offering trading, spending, saving, and earning capabilities.

Until this incident, Yoroi had largely avoided major platform-wide security breaches. Historically, phishing attacks, malware, and compromised user devices caused most wallet losses in the ecosystem rather than systemic vulnerabilities.

The latest incident marks one of the most significant security failures affecting a major Cardano wallet provider.

How the exploit worked

The SecondFi Wallet Exploit differs significantly from typical crypto theft schemes.

Most wallet compromises occur when users approve malicious transactions or reveal recovery phrases to attackers. In this case, attackers reportedly obtained access to private keys during the wallet creation process itself.

According to SecondFi, the flaw existed within the software responsible for generating native Cardano web wallets.

Although the team has not yet published a detailed technical post-mortem, the vulnerability appears to have exposed wallet mnemonics or private keys during creation, allowing attackers to later access funds without requiring any interaction from victims.

Once attackers possessed the keys, they could independently sign and broadcast transactions directly on the blockchain.

Because the compromise occurred at wallet generation, simply importing an affected recovery phrase into another wallet does not eliminate the risk.

Emergency rescue operation secures 129 million ADA

To prevent additional losses during the active exploit, SecondFi initiated emergency response procedures.

The company entered maintenance mode, took a snapshot of wallet balances, and triggered rescue measures designed to secure user funds before attackers could drain them.

According to the team’s latest update, they transferred approximately 129 million ADA and other digital assets to an independent third-party custodian for safekeeping on behalf of affected users.

SecondFi stated that an external accounting firm is auditing these secured holdings and that the company has established a formal claims process for impacted users.

The rescue operation has generated significant debate within the community because some users questioned how a self-custody platform was able to move customer assets during an emergency.

SecondFi maintains that the transfers were necessary to prevent further losses while the exploit remained active.

Why this matters for Cardano users

The SecondFi Wallet Exploit highlights one of the most severe risks facing self-custody users: compromised key generation.

Even when users follow best security practices and avoid phishing scams, vulnerabilities in wallet software can undermine the entire security model by exposing private keys during creation.

Importantly, SecondFi emphasized that the vulnerability affects only its wallet software and does not represent a weakness in the Cardano blockchain itself.

Nevertheless, the incident has damaged confidence in software wallets across the ecosystem and renewed calls for broader adoption of hardware wallets for large holdings.

Hardware wallets generate and store keys offline, significantly reducing exposure to browser-based or web wallet vulnerabilities.

Community reaction and market sentiment

Reaction across the Cardano community has been intense.

Many users expressed frustration over the recent rebranding from Yoroi to SecondFi, with some questioning whether changes introduced during the transition contributed to the vulnerability.

Others praised the team’s rapid emergency response, particularly the effort to secure approximately 129 million ADA before additional thefts could occur.

Security researchers also weighed in. SlowMist founder Yu Xian suggested total losses linked to the incident could potentially exceed $20 million when considering all affected assets.

Meanwhile, Cardano users have increasingly recommended migrating large holdings to hardware wallets or alternative software solutions while awaiting further details.

What happens next

SecondFi says it has already deployed a patch for unaffected wallets and continues conducting on-chain analysis alongside ecosystem partners.

econdFi encourages affected users to follow only official communication channels and submit claims through the designated recovery process once details become available.

The broader Cardano ecosystem, including Cardano Foundation and Input Output Global, will likely continue supporting investigation and remediation efforts.

For now, the incident serves as a stark reminder that self-custody security extends beyond user behavior and depends heavily on the integrity of wallet software itself.