One of the Cardano ecosystem’s most established wallets has suffered a breach that strikes at the foundation of self-custody itself. On June 23, SecondFi, the self-custody “neofinance” platform formerly known as the widely used Yoroi wallet, disclosed that attackers had exploited a vulnerability in its proprietary Cardano wallet-generation software, draining ADA, tokens, and NFTs from user accounts.
As investigators dig in, the headline question is no longer whether it was serious, but how serious: estimates of the damage now range from $2.4 million to north of $20 million.
What happened
SecondFi first alerted users that it had detected a security issue affecting a small number of Cardano wallets, then moved quickly into damage control, suspending services, pausing front-end interactions, and entering maintenance mode. The team subsequently isolated the root cause to its native Cardano web wallet-generation software, the component responsible for creating new wallets and the private keys that secure them.
Community and on-chain reports indicate roughly 178 wallets were compromised, with nearly 200 suspicious transactions clustered around June 21 and 22. As a precaution, SecondFi took a snapshot of user balances, freezing a record of holdings at the moment the breach was identified to support any future recovery.
Dueling loss estimates
This is where the story sharpens. SecondFi’s preliminary figure puts the impact at around 16 million ADA, worth roughly $2.4 million at the time of the incident. But SlowMist founder Cos, also known as Yu Xian, painted a far darker picture.
After tracking the attacker’s fund flows and wallet activity overnight, he flagged two suspected hacker addresses and concluded that affected users have likely lost over $20 million, as much as 129 million ADA plus other tokens, many times SecondFi’s official estimate.
The roughly eightfold gap between the two figures is significant, and unresolved. SecondFi says it is finalizing an independent technical review with a leading blockchain security firm, and that the exact loss will be disclosed once the audit is complete. Until then, the prudent read for the market is that the official number is a floor, not a ceiling.
Why a key-generation bug is uniquely dangerous
Most crypto exploits target a vulnerable smart contract, a cross-chain bridge, or a centralized front end. A flaw in wallet key generation is a different and far more insidious category because it poisons the well at the source.
Because the SecondFi software produced private keys with predictable randomness, every single wallet created through that specific software iteration is potentially compromised, including those that have not yet been drained.
That is precisely the warning now echoing through the Cardano community. Cardano software developer Blink Labs cautioned that the generated wallets “are all unsafe” and urged users to switch to a completely different wallet provider immediately. SecondFi’s own advice for users to migrate remaining assets to alternative platforms is a tacit acknowledgment of this reality.
It is a brutal irony for a self-custody platform: users who faithfully followed the “not your keys, not your crypto” mantra were still exposed, not through centralized custody, but through the underlying code that minted their keys in the first place.
A blow to a flagship Cardano wallet
The reputational sting of this exploit is heavily amplified by SecondFi’s pedigree. The platform traces directly to Yoroi, one of the earliest and most trusted light wallets in the Cardano ecosystem, used by more than a million ADA holders.
EMURGO, one of the three founding entities behind the Cardano blockchain, officially evolved and rebranded Yoroi into SecondFi in early June 2026 (shipping version 10.0.3 on June 7), expanding it into a full neofinance platform for spending, trading, earning, and saving via Visa integrations.
A breach at a wallet with this lineage lands much harder than an exploit at an anonymous new protocol. Because EMURGO is a founding architect of Cardano, the pressure on the Cardano Foundation and Input Output (IOHK) to step in and assist with a bailout or recovery is unusually high. SecondFi has confirmed it is actively coordinating its response with these core institutions, as well as ecosystem partners like Intersect and SundaeSwap.
Scammers move in
As is grimly routine after major crypto incidents, a secondary wave has followed: a surge of fraudulent accounts impersonating SecondFi support channels on X and Telegram, preying on panicked users hunting for help.
SecondFi has urged users to verify any communication strictly through official domains and to treat unsolicited “recovery” offers or links as hostile phishing attempts.
What ADA holders should watch
For anyone who generated a wallet through SecondFi, the safest course is to assume the keys may be compromised and move funds to a wallet created by a different provider. Traders, meanwhile, should watch whether the stolen ADA begins flowing to exchanges, which could foreshadow sell pressure on the token.
The biggest open question is compensation: the balance snapshot gives SecondFi a basis to make users whole, but no plan or timeline has been confirmed. If the firm and its ecosystem partners deliver a credible reimbursement, the trust damage may be contained. If not, the incident risks becoming a textbook case in why securing key generation matters every bit as much as securing key custody.
Also Read: Aave Founder Reacts as Goldfinch Shuts Down with $56M Frozen in Loans
