SecondFi wallet hack on Cardano: 16 million ADA stolen, 374 addresses affected

On June 23, 2026, the SecondFi platform, formerly known as Yoroi Wallet, announced a critical vulnerability in its wallet on the Cardano blockchain. As a result of the attack, attackers withdrew approximately 16 million ADA from 374 addresses. At the current ADA exchange rate of around $0.146, the damage is estimated at approximately $2.4 million. The team immediately switched the platform to safe maintenance mode, temporarily blocking the ability to conduct transactions through the interface.
In its statement, SecondFi emphasized that emergency measures allowed protecting the remaining 129 million ADA from complete loss. These funds were redirected to an independent qualified custodian, where they are held in the interests of the affected addresses. A total of four withdrawal events were recorded: three were carried out by hackers, and the fourth is likely related to the team's own actions to protect assets. However, this is not directly disclosed.
Cause of the Vulnerability: An Issue at the Address Level
Analysis of the incident showed that the vulnerability lies at the address level and affects the transaction signing process. Immunefi CEO Mitchell Amador noted that SecondFi's software exposed the private keys it itself generated. The problem lies not in the Cardano blockchain itself, but in the wallet module responsible for key generation. This is why SecondFi strongly recommended that users not restore the seed phrase in other Cardano-based wallets — the risks remain.
The team has already identified the cause and released a fix for unaffected wallets. Active work is underway with key participants in the Cardano ecosystem: Input Output Global (IOG), Cardano Foundation, Intersect, and SundaeSwap.
Position of IOG and Charles Hoskinson
Cardano founder Charles Hoskinson was quick to distance IOG from the incident. In his statement, he emphasized that SecondFi is not an IOG product, and the company has no stakes, control, or business relationships with this project. "We did not write this code and are not associated with it," Hoskinson stated, comparing the situation to contacting Apple about a problem in a Microsoft product.
Notably, behind SecondFi is EMURGO — one of the co-founders of the Cardano blockchain, which positions itself as a driving force for the commercial adoption of the technology. However, Hoskinson stressed that IOG does not control EMURGO and cannot speak on its behalf.
This incident once again raises questions about the security of wallets in the Cardano ecosystem, especially against the backdrop of a recent case where a "dormant" wallet accidentally exchanged 14.4 million ADA through an illiquid pool, losing $6.05 million. Analyst ZachXBT had previously called Cardano's operating model an "insider enrichment scheme," and such incidents only reinforce his arguments.
Expert opinion from Cryptalist: The leakage of private keys due to a generation error is a classic example of how trust in "self-custody" can be undermined by poor code. Users should double-check the reputation and audit of wallets, rather than relying solely on big names in the ecosystem. Despite its scientific approach, Cardano is not immune to such bugs, and this case will be a serious blow to trust in SecondFi and, indirectly, in EMURGO.