On June 23, 2026, SecondFi confirmed three separate external attacks had drained approximately 16 million ADA, worth around $2.4 million, from 374 user wallets. The vulnerability was traced to a flaw in the platform’s proprietary web wallet generation software: the code responsible for creating new wallets and their private keys was producing compromised addresses. Private keys, the cryptographic credentials that give a wallet owner exclusive control over their funds, were exposed during the creation process itself, before any user did anything wrong. SecondFi patched the flaw for unaffected wallets, moved its platform into maintenance mode, and took a balance snapshot. It also triggered emergency rescue measures before attackers could reach a further 129 million ADA, routing that sum to an independent third-party custodian.
The number that matters most is not the confirmed $2.4 million. It is the SlowMist estimate of potential total losses exceeding $20 million across up to 129 million ADA. That gap, roughly eightfold, means many compromised wallets may not yet have been drained but remain vulnerable as long as their keys were generated through the flawed software. Cardano founder Charles Hoskinson acknowledged the incident, calling the dollar amount modest relative to other crypto hacks while noting that offered little comfort to those who lost anything. ADA fell to approximately $0.15 during the fallout, its lowest level since 2020.
How the Flaw Actually Worked
The attack vector is specific and technically significant. SecondFi’s wallet generation software produced private keys with predictable randomness, a failure mode known as weak entropy. When a wallet is created, the software is supposed to draw on high-quality randomness to generate a unique private key that cannot be guessed or derived from other data. If that randomness source is flawed or predictable, the resulting private keys can be reproduced by anyone who understands the algorithm. The attacker did not need to steal a seed phrase. They did not need to intercept a transaction. They needed only to reproduce the key generation process.
The timing of the attack adds a layer of complexity. According to Cryptopolitan’s reporting, the hacker’s approach was to sweep funds only after a user signed a recent transaction. That behavior suggests the attacker was monitoring on-chain activity and targeting wallets that showed recent signs of life, presumably because dormant wallets with small balances are lower priority. SecondFi explicitly warned users that moving their seed phrase to a different wallet application would not protect them: the vulnerability is at the address level, not the seed phrase level. Affected users must submit claims directly to SecondFi because the compromise is embedded in the wallet address itself.
SecondFi took a balance snapshot at the moment the breach was identified, creating a frozen record of what every user held. An external accounting firm has been engaged to verify the rescued 129 million ADA held by the third-party custodian. Affected users can submit claims to SecondFi against that snapshot. The claims process is the only recourse for users whose wallets were drained: the Cardano blockchain operated normally throughout and cannot reverse confirmed transactions.
SecondFi Incident: Confirmed vs Potential Losses
As of June 24, 2026 | Sources: CoinDesk, SlowMist, SecondFi statements | @cryptonewsbytes
Sources: CoinDesk June 24, SlowMist, Cryptopolitan, SecondFi statement | @cryptonewsbytes. Not financial advice.
How the SecondFi Key Generation Flaw Worked
Three-phase attack across June 23-24, 2026 | Sources: SecondFi, CoinDesk, SlowMist | @cryptonewsbytes
Root Cause: Weak entropy in key generation
SecondFi web wallet software produced private keys with predictable randomness. Keys could be reproduced by anyone who understood the algorithm.
Phase 1 and Attacker derives compromised keys
Attacker runs key derivation on all SecondFi wallets
No hack of user devices. No phishing. No seed phrase theft. Just reproducing the flawed algorithm against known wallet addresses.
Phase 2 and Monitor and sweep after user activity
Attacker watches for wallets that sign a transaction
Active wallets are higher priority. When a user sends or signs anything, the attacker sweeps immediately. Three separate attack waves over June 23-24.
374 wallets drained
16M ADA confirmed stolen (~$2.4M)
ADA swapped and moved
Hacker addresses tracked by SlowMist on-chain
Attacker: funds gone
~$2.4M drained. SlowMist: up to $20M at risk across all compromised addresses.
Transactions irreversible on-chain.
SecondFi: emergency rescue
129M ADA routed to third-party custodian before attackers reached it. Snapshot taken. Claims process opening.
Confirmed by SecondFi statement.
If you used SecondFi or Yoroi web wallet
Create a new wallet with a different provider. Transfer to the new address. Do not import the same seed: the flaw is at address level, not seed phrase level.
Sources: SecondFi official statement, CoinDesk June 24 2026, SlowMist, Cryptopolitan | Not financial advice | @cryptonewsbytes
Why This Hits Differently: Emurgo Built This
SecondFi is not a startup that nobody has heard of. The platform rebranded from Yoroi in April 2026, less than two months before the incident. Yoroi was one of the earliest and most trusted light wallets in the Cardano ecosystem, serving more than a million ADA holders who wanted self-custody without running a full node. It was built and maintained by Emurgo, one of Cardano’s three founding entities alongside Input Output Global and the Cardano Foundation. Emurgo shipped version 10.0.3 of the rebranded SecondFi on June 7, sixteen days before the exploit was disclosed. The rebranded platform expanded the product into a full neofinance stack covering spending, trading, earning, and saving via Visa integrations.
A breach at a wallet with Emurgo’s lineage carries far more institutional weight than an exploit at an anonymous new protocol. SecondFi confirmed it is coordinating its response with IOG, the Cardano Foundation, Intersect, and SundaeSwap, meaning the entire founding institutional layer of Cardano is now involved in the response to a failure that originated in one of its own organizations. The pressure on Emurgo to provide compensation is unusually high and so far has not produced a public commitment. Emurgo has not announced a reimbursement plan, published audit results, or given a timeline for restoring normal services. That silence is the most consequential open question for affected users.
Scams are already multiplying around the incident. Fraudulent actors are impersonating SecondFi support channels and distributing fake recovery tools to users who are actively looking for guidance. Anyone who used SecondFi or the legacy Yoroi web wallet should interact only with official SecondFi channels and be skeptical of any unsolicited contact offering to recover funds or process claims.
2026 Private Key Attack Pattern: SecondFi Fits a Consistent Trend
Key management failures dominate 2026 crypto losses | @cryptonewsbytes
Sources: CoinDesk, CNB prior coverage. 4 of 5 attacks in 2026 targeted key management, not smart contract code. | @cryptonewsbytes
What to Do Right Now If You Used SecondFi or Yoroi
The action required is specific. If you generated a wallet through SecondFi or through the legacy Yoroi web wallet interface, your private keys may have been produced by the flawed software regardless of whether your funds have been drained yet. The safest course is to create a new wallet using a different provider, such as Eternl, Lace, or a hardware wallet like Ledger, and transfer all ADA, tokens, and NFTs out of any potentially compromised address immediately. Do not simply move your seed phrase to another wallet application: the vulnerability is at the address level. The compromised address remains compromised regardless of which app you use to access it.
Do not interact with any recovery tool, browser extension, or support contact that reaches out to you proactively. The scam wave is already active and impersonators are targeting SecondFi users specifically. Submit any legitimate claims through SecondFi’s official channels only. Monitor those channels for updates on the claims process, the independent audit timeline, and any compensation announcement from Emurgo. The balance snapshot SecondFi took at the time of discovery is the basis for any future claims process, so users who have not yet been drained are not necessarily excluded from compensation if Emurgo ultimately commits to it.
Frequently Asked Questions
I used the Yoroi mobile app, not the web wallet. Am I affected?
SecondFi and the available reporting specifically identify the flaw as residing in the web wallet generation software. The mobile application may use different key generation code. However, until SecondFi publishes a full technical audit confirming which specific products were affected and which were not, the safest approach is to treat any wallet generated through any SecondFi or Yoroi interface as potentially at risk and migrate funds to a new wallet created through a different provider.
Why can’t I just move my seed phrase to a new wallet app?
The vulnerability is at the address level, not the seed phrase level. When SecondFi’s flawed software generated your wallet, it produced a wallet address with a private key derived from weak randomness. That private key is permanently associated with that address. Moving your seed phrase to a different application, such as Eternl or Nami, and importing the same wallet will recreate the same compromised address with the same compromised private key. You need to generate an entirely new wallet with new randomness from a different provider and transfer your funds to that new address.
Will Emurgo compensate affected users?
As of June 24, 2026, Emurgo has not publicly announced a compensation plan or timeline. SecondFi has engaged an external accounting firm to verify the 129 million ADA held in third-party custody and is accepting user claims. Whether those funds are distributed to affected users and on what basis is not yet confirmed. The Cardano community and affected users are watching Emurgo’s response closely given its status as a founding entity. No official audit results have been published.
Further Reading
Private key compromise as the dominant 2026 attack vector. SecondFi’s key generation flaw is a variant of the same fundamental failure: keys, not code.
The six-point wallet security checklist. The SecondFi incident adds a seventh rule: verify that your wallet provider’s key generation software has been independently audited.
This article is for informational purposes only and does not constitute financial advice. Sources: CoinDesk June 24 2026, CryptoTimes June 24, Cryptopolitan June 24, cryptonews.net, cryptobriefing.com, en.cryptonomist.ch, livebitcoinnews.com, SlowMist assessment, SecondFi official statement, Charles Hoskinson statement. Published June 17, 2026.

