Private-Key Oopsie: SecondFi's Wallet Generator Hands Attackers the Keys to ~$20M 🗝️

Cardano-based wallet platform SecondFi confirmed on Wednesday that a vulnerability in its proprietary wallet generation software, not Cardano's base protocol, exposed user private keys and enabled attackers to drain funds across multiple addresses. SecondFi traced the root cause to an issue at the address level that activates when affected users sign transactions, meaning recovery to another platform or wallet does not mitigate the risk, according to statements the project posted on June 24. The company advised users not to restore their recovery phrases into new Cardano wallets.

SecondFi's internal estimate puts losses at around 16 million ADA, roughly $2.4 million across 374 addresses. However, SlowMist founder Yu Xian, known by the handle Cos, placed total losses above $20 million, citing on-chain analysis of hacker fund flows that traced more than 129 million ADA and other tokens through addresses linked to the attacker. SecondFi's own investigation initially identified approximately 178 wallets affected by the exploit, but later indicated that the threat activates whenever affected users sign transactions with compromised addresses, a discovery that the project said fundamentally changes the threat model and the way security teams assess the vulnerability. The platform has since triggered emergency measures that secured roughly 129 million ADA, which is being transferred to an independent third-party custodian and held for affected users pending verification.

ADA traded at $0.150237 as of June 24, down 3.00% over the past 24 hours. At that price, SlowMist's upper estimate of 129 million ADA translates to roughly $19.4 million in ADA alone, with non-ADA tokens and NFTs held in compromised wallets pushing total exposure higher. SecondFi has temporarily suspended service and placed itself into maintenance while it works with an independent blockchain security firm on a technical review. "SecondFi's wallet software exposed the private keys it generated," Mitchell Amador, CEO of security company Immunefi, told Cointelegraph. Amador said that while the blockchain remained secure, the code that generates the keys is the "part nobody audits like a contract," adding that attackers have increasingly shifted focus toward infrastructure that creates or stores crypto keys rather than blockchain protocols.

Cardano founder Charles Hoskinson addressed the incident in a Tuesday video posted on X, stressing that Input Output Global "is not Emurgo" and has no ownership, control, or business relationship with SecondFi. SecondFi is a self-custodial platform built on Cardano that rebranded from the Yoroi wallet in April 2026; Yoroi was developed by Emurgo, which describes itself as the "for-profit arm of Cardano," and was launched as the first open-source light wallet for the Cardano blockchain. "We didn't write the code and we're not connected to it," Hoskinson said, noting that IOG's incident response team has been in contact with SecondFi since Monday and that the platform requested an independent security audit. Hoskinson added that while the losses may appear small relative to other crypto exploits, they offer no comfort to those affected, and that some users may have lost their entire ADA holdings.

The breach surfaced one day after Cardano launched the Leios Musashi Dojo testnet, with early network activity data showing few signs of a meaningful on-chain uptick. Community reaction to SecondFi's response has been hostile, with one user openly challenging the team's guidance and stating, "Millions were lost. People's life savings vanished." Criticism intensified further with claims that "nobody trusts anything being posted" and that disabling comments "says more than any statement ever could," suggesting the crisis now extends beyond security losses into a broader confidence problem for the platform.