SecondFi Exploit on Cardano: 16 Million ADA Leak and Wallet Trust Crisis

On June 23, the SecondFi team announced a critical vulnerability in its wallet on the Cardano blockchain, immediately putting the platform into safe maintenance mode. Users temporarily lost the ability to conduct transactions through the interface while developers assessed the scale of the incident.
The next day, June 24, SecondFi confirmed that attackers had withdrawn approximately 16 million ADA from 374 addresses. Based on my calculations, the damage amounted to about $2.4 million at an ADA rate of around $0.146 at the time of the attack. This is a serious blow to the reputation of a project that positioned itself as a reliable tool for working with Cardano.
Emergency measures and the scale of the problem
To prevent a complete loss of funds, the SecondFi team launched emergency protocols, protecting the available 129 million ADA. As the developers stated, these funds are being directed to an independent, qualified third-party custodian for storage in the interests of the affected addresses. However, the situation remains tense: four withdrawal events were recorded. Three of them were actions by hackers, and the fourth was likely related to the team itself moving about 129 million ADA to protect assets. There has been no direct confirmation of this from SecondFi.
Mitchell Amador, CEO of Immunefi, pointed to the root of the problem: the project's software exposed the private keys it had generated itself. This indicates a fundamental defect in the key generation module, not in the Cardano blockchain itself. Therefore, SecondFi strongly recommended that users not restore their seed phrases in other Cardano-based wallets — the risk persists.
Ecosystem reaction and IOG's position
Charles Hoskinson, founder of Cardano, was quick to distance Input Output Global (IOG) from the incident. He stated that SecondFi is not an IOG product, and the company has no stake, control, or business relationship with this project. "We did not write this code and are not associated with it," Hoskinson emphasized. For context, SecondFi (formerly Yoroi Wallet) is backed by EMURGO — one of the key players in the Cardano ecosystem, which describes itself as a co-founder of the blockchain. However, Hoskinson made it clear that IOG does not control EMURGO and cannot speak on its behalf.
This incident raises serious questions about the security of wallets, even those supported by major ecosystem players. Previously, in November 2025, we saw a "dormant" Cardano wallet accidentally lose $6.05 million due to an illiquid pool. On-chain detective ZachXBT had previously described Cardano's operational model as an "insider enrichment scheme." Now, we are dealing with a direct compromise of private keys.
My analysis: This exploit is not just a technical glitch but a signal of systemic risks in key management on platforms that claim to be the "next generation" of DeFi. While SecondFi and EMURGO deal with the aftermath, user trust in Cardano wallets has been undermined. The market will be closely watching how quickly and transparently funds are returned and what security changes follow. For now, I recommend exercising extreme caution when using any unaudited wallets.