Crypto news

24.06.2026
08:58

The SecondFi hack on Cardano: the actual damage may exceed $20 million

The Cardano ecosystem has faced a serious security incident: the project SecondFi, previously known as the Yoroi wallet, reported a hack caused by a vulnerability in its proprietary wallet generation software. According to preliminary team data, the damage is estimated at approximately 16 million ADA (about $2.4 million), but independent analysis indicates that actual losses could be significantly higher—over $20 million.

The incident affected one of the most popular "light" wallets in the Cardano ecosystem, used by over a million ADA holders. The vulnerability lay in the software generating private keys with predictable randomness, making all wallets created through it potentially vulnerable. Initially, 178 compromised wallets were reported, but the actual scale may be much broader.

Discrepancy in Estimates: $2.4 Million or $20 Million?

The founder of security company SlowMist, Yu Xian, conducted his own analysis of the attacker's fund movements and wallet activity. His findings differ drastically from SecondFi's data. According to his estimate, actual user losses could theoretically exceed $20 million. Moreover, he tracked two suspected attacker addresses and believes that losses of up to 129 million ADA and other tokens may be linked to the incident—this is many times higher than the project's initial calculations.

The roughly eightfold gap between the team's estimates and those of independent experts remains significant. This could mean that some compromised wallets have not yet been drained but remain vulnerable. The situation is complicated by the fact that SecondFi is a rebranded product of Yoroi, developed by EMURGO, one of the three founding companies of Cardano. The rebranding occurred in early June 2026, so the reputational blow from the attack is felt more strongly than in incidents with anonymous projects.

What Should Users Do?

The project has suspended operations, entered maintenance mode, and taken a snapshot of user balances. The team urged everyone who created a wallet through its software to immediately transfer assets to wallets from other services. The investigation is ongoing, and the exact amount of losses is promised to be disclosed after completing a technical audit involving a third-party blockchain security company.

My analysis: This incident is yet another reminder that even time-tested products with a multi-million audience are not immune to critical vulnerabilities. The gap in damage estimates is alarming: if SlowMist's data is correct, we are dealing with one of the largest hacks in the Cardano ecosystem. Users should act immediately without waiting for official audit results.