EMURGO announces refunds for victims of the SecondFi hack: payouts to begin in two weeks
The situation surrounding the SecondFi wallet, previously known as Yoroi, is beginning to become clearer. EMURGO CEO Phillip Pong officially stated that the company has found a technical solution to return funds to affected users. According to him, payouts are planned to launch in approximately two weeks: the first week the team will dedicate to developing the refund mechanism, and the second week to thoroughly testing it.
As a reminder, the exploit affected 374 addresses, from which about 16 million ADA were withdrawn. At the time of the incident (June 21–23), this amount was estimated at approximately $2.4 million. However, as it turned out, this is only part of the story. During the attack, the attackers acted in three stages, and in the fourth episode, the SecondFi team urgently transferred about 129 million ADA to an independent custodian to isolate the assets. These funds are currently being verified by an external audit firm.
Technical Background: Not Nonce Reuse, but a Signature Error
The independent report from Tibane Labs deserves special attention. Contrary to initial assumptions, the company's analysts concluded that the root of the problem lies not in nonce reuse, but in a critical Ed25519 signature error. According to their data, on June 8, an unaudited trantor SDK published on npm by an independent developer replaced the previously used verified EMURGO signing module. This means that to recover the private key, the attackers needed only a single signed message.
Notably, EMURGO has not yet published a full technical post-mortem and has not publicly responded to Tibane Labs' findings. This raises questions within the community, given that SecondFi (Yoroi) has long remained one of the main wallets in the Cardano ecosystem, and EMURGO itself is one of the three founding organizations of the network.
Precautionary Measures and Current Status
SecondFi strongly urges users not to transfer assets until official instructions are provided and warns of a wave of fraudulent messages. The service emphasizes that it never requests private keys, seed phrases, or wallet access. As of now, two attacker wallets are known: one linked to 171 compromised addresses, and the second to 203. About 4 million ADA associated with the theft are on a marked collection address and remain under surveillance.
This incident is yet another reminder of how fragile security can be even in mature ecosystems. The SecondFi hack occurred against the backdrop of a crypto industry anti-record in the second quarter of 2026: 83 incidents with total damages of $755.3 million. Personally, I believe that the lack of a transparent post-mortem from EMURGO is a serious signal for ADA holders. Investors should closely monitor developments, especially how the company will rebuild trust after such a reputational blow.