EMURGO launches refund process for victims of the SecondFi hack: deadlines and details
EMURGO, one of the key founding organizations of the Cardano ecosystem, has announced the start of a refund process for users of the SecondFi wallet affected by a large-scale exploit. Company CEO Phillip Pon confirmed that a compensation mechanism has already been developed, with the first payments expected to begin in approximately two weeks. According to on-chain analysis, the incident affected 374 addresses, from which about 16 million ADA were withdrawn.
For the upcoming week, the team has planned the technical implementation of the refund mechanism, followed by a week of thorough testing. SecondFi users are strongly advised not to perform any operations with their assets until official instructions are received. It is specifically emphasized that the service never requests private keys, seed phrases, or wallet access — any such messages are fraudulent.
Timeline of the Attack and Scale of Damage
According to the SecondFi team, between June 21 and 23, four incidents of unauthorized fund withdrawals occurred. In three cases, external attackers withdrew approximately 16 million ADA (roughly $2.4 million at the time of the attack) from 374 addresses. In the fourth episode, the team urgently transferred about 129 million ADA to an independent custodian to isolate the assets from further encroachment. Verification of the safety of these funds is being conducted by an external auditing firm.
SecondFi also identified two attacker wallets: one linked to 171 compromised addresses, and the second to 203. Approximately 4 million ADA related to the theft are on a flagged collection address and remain under surveillance. Law enforcement authorities have already been notified of the incident.
Technical Details: Tibane Labs Version
A separate independent investigation was conducted by Tibane Labs. According to their report, the root of the problem lies not in nonce reuse, but in a vulnerability related to an Ed25519 signature error. Tibane Labs claims that on June 8, an unaudited trantor SDK, published in the npm registry by an independent developer, replaced the previously used verified signing module from EMURGO. According to expert estimates, just one signed transaction was sufficient to recover the private key.
Notably, EMURGO has not yet published a full technical post-mortem of the incident and has not publicly responded to Tibane Labs' findings. The SecondFi wallet (known as Yoroi until April) has long been one of the primary tools in the Cardano ecosystem, making this incident particularly painful for the community.
My professional commentary: The situation surrounding SecondFi is a vivid example of how even respected projects with a long history can be vulnerable to unexpected attack vectors. The lack of a public post-mortem and silence in response to the detailed Tibane Labs report raises questions. Cardano users should carefully consider the findings of independent experts and, in the future, prioritize auditing the SDKs they use, especially those from third-party developers. Restoring trust after such an incident will require not only financial compensation from EMURGO but also maximum transparency.