Best crypto insights delivered straight to your inbox.
SecondFi takes final snapshot of users funds, recommits to refund priority
- SecondFi says the exploit stemmed from a flaw in its wallet generation software that allowed attackers to derive private keys from on-chain data.
- The company and its parent, EMURGO, have secured about 129 million ADA and have launched a reimbursement fund.
- SecondFi remains in maintenance mode while conducting security audits and processing user claims before resuming normal operations.
Following the automated attacks that saw funds leave wallets in SecondFi, Cardano’s wallet provider formerly known as Yoroi Wallet, between June 21 and 23, affected users now have something to cheer about.Â
SecondFi announced that it has taken a final balance snapshot on June 26 to begin processing refunds for affected users.
According to the company’s investigation, the vulnerability that was exploited was a flaw in its wallet generation software, specifically a deterministic nonce derivation error in its software signer that allowed attackers to reconstruct private keys from publicly available on-chain data.
Have the SecondFi attackers been identified?
According to SecondFi’s investigation, the wallet-draining campaigns were carried out by two separate actors.
One attacker compromised 171 wallets in two waves, while a second drained 203 wallets in a separate sweep, the company disclosed on June 25.
SecondFi says that it is working with law enforcement and partners across the Cardano ecosystem to trace and restrict the movement of stolen assets. Currently, 4.02 million ADA linked to the exploit are being held in a single collection wallet that is being monitored.
Will restoring a seed phrase help SecondFi’s users?
SecondFi informed affected users not to restore their recovery phrases into another Cardano wallet. Compromised keys remain exposed regardless of which software holds them because the vulnerability exists at the address level and not the wallet application layer.
Every transaction signed by an affected address leaked enough information for attackers to derive that address’s private key, according to the company’s June 26 guidance.
SecondFi also cautioned against claiming staking rewards, as it could expose funds to attackers monitoring the mempool for new transactions from compromised addresses.
Recovery fund and containment
SecondFi and its parent entity, EMURGO, have secured around 129 million ADA through emergency containment measures. Those funds are being held pending recovery operations.
Another angle that the company said it is working on is the dedicated restoration fund it set up to reimburse affected users. Also, it said normal operations will not resume until external security firms audit its systems and give the green light to bring its services back online.
For now, SecondFi remains in maintenance mode. But users can already start to submit claims through its official support portal.
ADA currently trades around $0.148, having risen by over 3% over the past 24 hours. It traded at around $0.15 following the exploit, down about 2.9% in the 24 hours after the attack became public.
The token had already fallen more than 54% year to date from $0.42 at the start of 2026.
If you're reading this, you’re already ahead. Stay there with our newsletter.
FAQs
What caused the SecondFi wallet exploit?
SecondFi traced the breach to a deterministic nonce derivation flaw in its native Cardano wallet generation software, which allowed attackers to mathematically reconstruct private keys from publicly available blockchain data after affected addresses signed transactions.
How many wallets were affected and how much ADA was stolen?
The exploit compromised 374 wallet addresses and drained approximately 16 million ADA, worth around $2.4 million at the time of the attack, according to SecondFi.
Why does SecondFi say not to restore recovery phrases into another wallet?
The vulnerability exists at the private key level, not the wallet application. Importing a compromised recovery phrase into a different Cardano wallet does not fix the exposed keys, and signing any new transaction from an affected address could allow attackers to drain the funds again.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Hannah Collymore
Hannah is a writer and editor with nearly a decade of blog writing and event reporting experience in the crypto space. At Cryptopolitan, Hannah contributes to the news page, reporting and analyzing the latest developments in DeFi, RWA, crypto regulation, AI and frontier tech industries. She graduated from Arcadia university with a degree in Business Administration.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)