EMURGO, one of the three co-founding entities of the Cardano blockchain, has announced a significant breakthrough in the recovery process for users affected by the SecondFi wallet exploit that drained approximately 16 million ADA from 374 wallets earlier this week.
The company says it has identified a clear recovery solution and is now moving into the execution phase, with an estimated two-week timeline before assets can begin being returned to affected users.
In a statement shared on X by EMURGO CEO Phillip Pon, the company confirmed that its engineering and security teams have been working around the clock since the breach was first detected.
The update states that forensic investigations have been completed, wallet balances have been validated, and the team has now established what it describes as the safest possible recovery pathway.
Recovery timeline and execution plan
According to the announcement, the recovery process is being split into two phases. The first week will be dedicated to building the recovery tool itself, while the second week will focus on thorough testing and security reviews before any assets are moved back to users. EMURGO has emphasized that while urgency is a priority, the process cannot be rushed, and safety remains the top concern.
A separate breakdown of the announcement noted that the final balance snapshot and affected asset verification have already been completed, and this record will serve as the basis for all subsequent asset returns. The post also clarified that the two-week estimate may still be adjusted depending on progress and is not a fixed commitment.
SecondFi will only resume normal operations after platform security has been fully confirmed and all external security reviews have been completed.
What led to the breach
The exploit was traced to a vulnerability in SecondFi’s native Cardano web wallet generation software, the component responsible for creating wallets and managing private keys. The flaw allowed attackers to gain access to private key material for wallets created through the web interface.
SecondFi, which evolved from EMURGO’s long-standing Yoroi Wallet in April 2026, confirmed that four separate wallet-draining events took place between June 21 and June 23. Three of those attacks were attributed to external threat actors, while the fourth was an emergency intervention by the SecondFi team itself, which secured approximately 129 million ADA by moving the funds to a third-party custodian as a precautionary measure.
SecondFi’s preliminary on-chain analysis put the confirmed losses at around 16 million ADA, valued at roughly $2.4 million at the time of the incident. However, SlowMist founder Yu Xian flagged a potentially much larger picture, estimating that user losses could ultimately exceed $20 million when accounting for up to 129 million ADA and other tokens held in compromised wallets.
Hoskinson weighs in
Cardano founder Charles Hoskinson addressed the situation publicly, stating that the Cardano blockchain itself was not compromised. He classified the incident as an application-level security failure confined to SecondFi, emphasizing that the network’s protocol, cryptographic foundations, and node infrastructure remain fully intact.
Hoskinson also revealed that he is experimenting with a recovery smart contract that would use zero-knowledge proofs tied to wallet recovery phrases to verify ownership and distribute assets from a recovery pool.
During a livestream, Hoskinson expressed sympathy for the victims, acknowledging that some users may have lost most or all of their ADA holdings. He described the incident as an unfortunate reality of the cryptocurrency industry and noted his own personal losses during the 2022 Nomad Bridge exploit.
Scam warnings and user guidance
EMURGO has issued a strong security advisory alongside its recovery update. The company warned that malicious actors are now circulating fraudulent communications impersonating SecondFi, attempting to exploit the situation by targeting panicked users.
The statement reiterates that SecondFi will never request private keys, seed phrases, wallet credentials, or direct wallet access under any circumstances. No recovery actions requiring user participation have begun at this stage, and any communication instructing users to transfer assets or submit wallet information outside of official channels should be treated as fraudulent.
Affected users are advised to submit a support ticket through the official SecondFi support page at support.secondfi.io and take no further independent action. EMURGO has specifically warned that independently migrating assets or restoring recovery phrases into other wallets could significantly complicate the secure return of funds, as the recovery process is being designed around existing wallet states.
ADA price impact
The exploit has added significant pressure to ADA, which was already trading near multi-year lows. At the time of the breach, ADA was hovering around $0.15, and the token has seen a decline of roughly 8% over the past seven days. The broader market context has not helped, with the overall cryptocurrency market also trending downward during the same period.
The incident has intensified scrutiny on EMURGO given its position as a founding entity of Cardano. SecondFi was listed in Cardano’s official app catalog and carried the institutional weight of the Yoroi brand, which had served as the ecosystem’s primary lightweight wallet for nearly eight years before the rebrand.
What remains unknown
While the recovery announcement marks the first time EMURGO has provided a concrete timeline, several key details remain undisclosed. These include the specific return dates for individual users, detailed asset-recovery amounts for each affected wallet, and the final claiming and verification methods to be used.
The official SecondFi account on X remains the primary channel for communications. EMURGO has committed to providing proactive updates at every stage of the recovery process.
As previously reported by The Crypto Times, the breach struck at the foundation of self-custody by targeting the very software that generated users’ private keys, making it one of the most consequential wallet-layer exploits in Cardano’s history.
Also Read: Polymarket Users Hit by $3M Frontend Exploit; Platform Vows Refunds
