Crypto news

24.06.2026
16:48

SecondFi Hack: 16 Million ADA Stolen Due to Critical Wallet Vulnerability

hack

The Cardano ecosystem has faced a serious security incident. On June 23, the SecondFi team, formerly known as Yoroi Wallet, announced a problem with their wallet and immediately switched the platform to safe maintenance mode. Users temporarily lost the ability to conduct transactions through the interface while developers assessed the extent of the damage.

The very next day, on June 24, SecondFi confirmed that attackers had withdrawn approximately 16 million ADA from 374 addresses. Based on my calculations, given the ADA exchange rate of about $0.146 at the time of the attack, the damage amounted to roughly $2.4 million. This is a serious blow to trust in the platform, which was positioned as one of the key tools for self-custodial finance on Cardano.

The SecondFi team stated that emergency measures managed to protect the remaining 129 million ADA. These funds are now being directed to an independent qualified third-party custodian for storage in the interests of the affected addresses. However, the key question is how exactly the leak occurred.

Nature of the Vulnerability: A Problem at the Address Level

As it turned out, the problem lies not in the Cardano blockchain itself, but in the key generation module of the SecondFi wallet. Immunefi CEO Mitchell Amador explained that the project's software exposed the private keys it generated. This means that any user who signed a transaction could have been compromised.

This is why SecondFi strongly recommended not to restore the seed phrase in other Cardano-based wallets — the risk persists until the root cause is eliminated. A total of four withdrawal events were recorded: three by attackers and one, likely by the team itself, to protect assets.

Position of IOG and Charles Hoskinson

Cardano founder Charles Hoskinson was quick to distance himself from the incident. In his statement, he emphasized that SecondFi is not a product of Input Output Global (IOG). "We have nothing to do with SecondFi. We have no stake, control, ownership, or business relationship," Hoskinson stated, comparing the situation to contacting Apple about a problem with a Microsoft product.

However, it is worth noting that behind SecondFi is EMURGO — one of the co-founders of the Cardano blockchain, which describes itself as a company driving commercial adoption of the technology. Thus, while IOG formally bears no responsibility, the incident casts a shadow over the entire ecosystem.

My professional assessment: this hack is yet another alarming signal for the industry. A vulnerability at the key generation level is a fundamental defect that could recur in other projects. Users should reconsider their security approaches and possibly avoid wallets with closed-source code or insufficiently verified architecture. Cardano is undoubtedly a strong blockchain, but such incidents undermine trust even in the most reliable ecosystems.