Following yesterday’s revelation that a critical vulnerability compromised the foundational self-custody infrastructure of Cardano’s premier “neofinance” gateway, SecondFi has instituted sweeping operational measures to orchestrate a recovery. SecondFi said a security breach compromised 374 wallet addresses and resulted in the loss of about 16 million ADA, worth roughly $2.4 million.
As on-chain analysts reconcile the variance between SecondFi’s confirmed 16 million ADA ($2.4 million) deficit and SlowMist’s broader threat projection of 129 million ADA, the platform has committed to an aggressive stabilization plan.
The company disclosed the incident in an update shared by EMURGO on X, one of Cardano’s founding entities. According to the company, the attack targeted its wallet-generation software and exploited a vulnerability related to wallet creation and private key generation. SecondFi said it has since isolated the source of the breach, patched the issue, and placed the platform in maintenance mode while the investigation continues.
The attack logistics
In a major breakthrough posted via its official infrastructure channels, SecondFi revealed that forensic tracking has successfully mapped the footprint of two distinct malicious actors who exploited the platform between June 21 and June 23:
- Attacker A: Responsible for the initial two waves of the exploit, this entity targeted and successfully drained 171 user wallets.
- Attacker B: Initiated a third aggressive sweep, exploiting the same predictable randomness flaw to break an additional 203 wallets.
SecondFi also disclosed wallet addresses and stake keys associated with the alleged attackers.
The 129M ADA
A major point of confusion within the market was resolved following a comprehensive ledger audit by analytics firm Bitquery. Initial reports feared that the syndicate had compromised up to 129 million ADA ($20 million). However, SecondFi clarified that this massive capital block was actually rescued by developers during the initial triage.
Through an emergency preservation protocol executed across seven distinct state transactions, SecondFi successfully isolated the vulnerable 129 million ADA and placed it under the control of an independent, highly fortified third-party custodian before the attackers could initialize further sweeps.
Furthermore, SecondFi has finalized a comprehensive block snapshot of the network to verify exact ownership registries. The company said it continues to cooperate with global law enforcement networks to restrict the movement of the stolen holdings. On-chain monitoring is currently focused on a single remaining attacker hot wallet that still holds 4.02 million ADA.
The broader threat envelope
The architectural failure has renewed intense industry focus on supply chain vulnerabilities within front-end wallet software. Unlike standard DeFi breaches that take advantage of logical flaws inside smart contracts, this exploit compromised the security model before any data was ever broadcast to the ledger.
Mitchell Amador, Chief Executive Officer of Immunefi, noted to The Crypto Times, “Key compromises inside DeFi protocols dropped to 8.1% of losses by 2025 because teams hardened their key management. The attackers didn’t quit. They moved to where keys are held in bulk: exchanges like Bybit, custodians, and now wallet generation code itself.” He added, “The chain held. The code that mints the keys is the part nobody audits like a contract.”
Ecosystem partners, including Cardano developer Blink Labs, continue to advise users who generated hot wallets during the affected release window to transfer their funds to entirely separate software interfaces.
This infrastructure strain follows a historical precedent set in November 2025, when an isolated script evaluation anomaly exposed a legacy bug and triggered a brief Cardano ledger split. With secondary phishing networks now actively deploying malicious “SecondFi Asset Recovery” traps across social spaces to steal user passwords, EMURGO’s immediate priority remains anchored on independent security validation to restore system integrity.
Also Read: GTA 6 ‘Early Access’ Sites Drain Gamers’ Crypto Ahead of June 25 Pre-Orders
