EMURGO has confirmed that SecondFi, the Cardano wallet platform hit by a private-key exploit in June, will not resume normal operations even after ongoing audits conclude, effectively winding down one of the ecosystem’s flagship self-custody tools while affected users continue to wait for their funds.
A flagship wallet, shut for good
In a July 6 update titled “The Path Forward,” signed by EMURGO chief executive Phillip Pon, the company told the Cardano community that SecondFi’s future is now limited to recovery. “SecondFi will not resume normal operations—even after the audits are complete,” the statement read, adding that going forward, EMURGO’s involvement is confined to “a dedicated asset recovery team, tasked solely with returning assets to affected users.” It urged all users to migrate away from the platform entirely, to a hardware wallet or an alternative provider, using officially prescribed methods.
That is a striking outcome for a product with deep roots in Cardano. SecondFi is the rebranded successor to Yoroi, the light wallet EMURGO launched in 2018 that served over a million users across nearly eight years as one of the network’s primary self-custody options before its April 2026 relaunch as a broader “neofinance” platform. EMURGO is one of Cardano’s three founding entities, which is precisely why the decision to retire the wallet rather than rehabilitate it carries weight.
To ease the exit, EMURGO said it will launch a “quarantined” site to help users check whether their wallet was affected, followed by a secure wallet-export tool and an in-person migration workshop in Tokyo.
The harder news for victims is timing. When EMURGO first mapped a recovery path in late June, it targeted a return of assets within roughly two weeks. The July 6 update contains no such firm date, stating instead that an external audit of a new on-chain recovery system is required before funds can be returned and that “given the number of known threat actors who are aware of the vulnerability, the safe return of assets must remain the overriding priority.” The company also declined to release preliminary findings while multiple independent reviews continue, promising a full account of “who, what, and why” only once they are finalized.
Why the scrutiny won’t fade
EMURGO’s caution has a defensible rationale. Releasing incomplete findings could mislead users, and moving too quickly could expose recovered funds to attackers still probing the flaw. But its silence on specifics has left a vacuum that independent researchers have moved to fill, and their accounts have been far less flattering than a routine bug.
There is broad agreement on the shape of the failure, if not its precise name: the flaw lived in how SecondFi’s software generated wallet keys and signatures, and it left users’ private keys derivable from public, on-chain data—no phishing link or stolen password required. An independent on-chain investigation by blockchain-intelligence firm Bitquery, which reconstructed the drain transaction by transaction, traced the breach to weak randomness in SecondFi’s key-generation code and stressed the Cardano protocol itself processed the transactions exactly as designed.
The exact mechanism is still contested—a forensic report from Tibane Labs characterized it as an Ed25519 signing error, while others have framed it as flawed nonce generation—but the researchers converge on the same conclusion: the keys SecondFi created were never truly secret.
It is the next step in that critique that has proven most damaging. Tibane Labs attributed the failure to an unaudited third-party signing library that it says replaced EMURGO’s previously audited code shortly before the exploit—and independent security researcher Taylor Monahan said SecondFi had effectively “rolled their own crypto,” describing the software as closed-source and unaudited.
Both frame the episode less as an unlucky bug than as a governance and process failure: a Cardano founding entity shipping unaudited code to production without an independent review that might have caught the flaw. That framing carries weight given SecondFi’s Yoroi lineage—users who trusted a wallet endorsed for years were migrated onto the very infrastructure that failed. It is worth noting that Tibane Labs is building a competing wallet, and its team includes former
Mt. Gox chief executive Mark Karpelès, so its analysis comes from an interested party. But EMURGO has neither published a technical postmortem nor publicly addressed the third-party code attribution, and that silence—more than any single researcher’s claim—is why the questions have not quieted. The incident has landed on ADA at a fragile moment, with the token trading near multi-year lows around $0.15.
What affected users should do now
For anyone who used SecondFi, the practical guidance is consistent across EMURGO’s statements. Users are urged to migrate away from the platform using only the official methods EMURGO publishes and, crucially, not to independently restore their recovery phrases into other wallets or move assets against official guidance during the recovery window—EMURGO has warned that doing so could complicate the secure return of funds, since its recovery is being built around wallet states recorded at the time of the incident. Affected users are directed to file claims through SecondFi’s official support channel.
The scam risk is acute and worth underlining. EMURGO has repeatedly cautioned that bad actors are imitating official guidance to target victims, a common follow-on to any high-profile exploit; legitimate recovery will come only through EMURGO’s verified channels and never from a stranger promising instant retrieval for a fee.
As context on the scale, the confirmed theft stands at roughly 16 million ADA (~$2.4 million) drained from 374 wallets across three external attack events between June 21 and 23, with a fourth event being EMURGO’s own emergency move of about 129 million ADA (~$18.5 million) to a third-party custodian to shield it from attackers. Security firm SlowMist has separately estimated the theoretical exposure could exceed $20 million, a figure that remains an upper bound rather than a confirmed loss.
The overall picture is of a founding-tier project managing a serious failure with visible caution but limited transparency, while its users face an indefinite wait and the loss of a wallet many had trusted for years. EMURGO’s promise of a full accounting still stands—but until it arrives, the questions its own community is asking are unlikely to quiet, and the recovery it has staked its reputation on remains, for now, unfinished.
