SecondFi rescues 129M ADA as three-wave Cardano wallet exploit drains 16M ADA

Three outside attackers hit Cardano wallet SecondFi in successive waves between June 24 and 25, 2026, draining 16 million ADA ($2.4 million) from 374 addresses. In a fourth pass, the platform's own team front-ran the attackers, securing 129 million ADA in an independent custodian before it could be drained.

Three attacks, one flaw. SecondFi's wallet-generation software contained an address-level flaw that becomes exploitable when a user signs a transaction, leaving every address created through the affected version potentially compromised. The flaw is in SecondFi's code, not Cardano's base protocol. "The flaw was at the address level and could lead to theft only when a user signed a transaction," SecondFi said in an official statement reported by CryptoNewsz on June 24.

The rescue. SecondFi confirmed four total draining events across the exploit window: three by outside actors, the fourth by its own team acting first. The team routed 129 million ADA to an independent third-party custodian, per CoinDesk, and engaged an external accounting firm to verify the holdings, per CryptoNewsz. Blockchain security firm SlowMist, tracking fund flows through attacker-linked addresses, estimated total exposure at 129 million ADA, or roughly $19.4 million at $0.150237 per ADA, per BeInCrypto.

What affected users must do. Moving a seed phrase to another Cardano wallet does not fix the problem. "The security risk affects wallet users when a transaction is signed. Therefore recovery to another platform or wallet does not mitigate the risk," SecondFi stated. Users are instructed to avoid signing any transactions, not to restore their recovery phrase elsewhere, and to file a claim through SecondFi's support portal. Wallets created before the June 24 patch carry the structural flaw regardless of whether they have been targeted yet. A patch for unaffected wallets was rolled out June 24, 2026.

SecondFi is the wallet formerly known as Yoroi. Emurgo, one of Cardano's three founding entities, developed it and rebranded it in April 2026, per Emurgo's announcement and Cardano.org.