On June 24, 2026, self-custodial platform SecondFi confirmed the identification of a technical vulnerability within its web wallets generation software on Cardano. The SecondFi wallet exploit exposed private keys belonging to multiple users during the standard transaction signing process on the network.
The platform remains in secure maintenance mode, and we have taken a full snapshot of balances as part of our response. This is being handled as a coordinated effort to protect the broader Cardano ecosystem.
We are working closely with the core pillars of our ecosystem:…
— SecondFi (@secondfiapp) June 23, 2026
The security breach permitted the unauthorized drainage of user funds from the digital wallet application. On Tuesday, June 23, 2026, the company estimated around 16 million ADA had been compromised. This specific amount translates to approximately $2.4 million in market value.
As per our previous post:https://t.co/rZanyrVGWN
We have identified the root cause and have since rolled out a patch for all unaffected wallets. This will allow us to resume normal operations soon.
—–
Regarding affected wallets, 4 distinct draining events occurred. 3 were…
— SecondFi (@secondfiapp) June 24, 2026
Following the security incident, the development firm deployed immediate emergency mitigation measures. The technical administration of the platform announced on Wednesday that it secured roughly 129 million ADA using internal protocol safeguards designed to block further illicit asset transfers to external entities.
These remaining digital assets will be transferred to an independent third-party custodian. The funds are set to be held under strict security monitoring for affected users, whose credentials must undergo a thorough verification process before any distribution occurs.
Technical aspects of the Cardano wallet flaw
Despite the immediate financial consequences, the firm has not yet published a comprehensive post-mortem report. Initial security updates consistently state that the structural vulnerability occurred exclusively at the address level within the network architecture of its web application code.
Immunefi Chief Executive Officer Mitchell Amador clarified that the underlying Cardano blockchain protocol remained completely secure throughout the event. The security specialist emphasized that private key generation code represents critical infrastructure that rarely receives standard independent smart contract audits.
Amador also observed that malicious actors are shifting their overarching operational targets. Attacks are increasingly targeting software infrastructure responsible for creating and storing cryptographic credentials, rather than focusing directly on the underlying decentralized blockchain protocols or smart contracts.
The wallet development team advised its active users against restoring existing seed phrases into alternative Cardano applications. According to their technical statement, migrating keys does not eliminate the security risk due to the inherent flaw in the compromised software code.
Autonomy of Input Output Global
It's not an IOG product. We have nothing to do with SecondFi. We have no equity, control, ownership, or business relationship. You are literally asking Apple if they will take care of an issue from a Microsoft product
— Charles Hoskinson (@IOHK_Charles) June 23, 2026
Input Output Global founder Charles Hoskinson clarified his organization’s stance regarding the security breach. The developer emphasized in a video posted on X on Tuesday that the affected wallet product is not owned or managed by the IOG corporate entity.
Hoskinson stressed the complete absence of any commercial agreements, operational control, or business relationships between IOG and the compromised application. The statement aims to maintain a clear boundary between core blockchain consensus layers and independent ecosystem software projects.
The IOG global incident response team initiated contact with the technical staff of SecondFi on Monday, June 22, 2026. Following these initial discussions, the administration of the affected platform officially requested a deep, independent security audit of their systems.
The executive also pointed out that his company holds no governance influence over Emurgo, known as the commercial arm of Cardano. IOG did not write the code for the wallet software and remains entirely disconnected from its engineering updates or platform maintenance.
Evolution of the affected platform
SecondFi operates as a self-custodial service within the decentralized ecosystem following its official evolution into SecondFi from the Yoroi wallet brand in April 2026. The transition aimed to expand on-chain utility, incorporating retail payments and global debit card services.
Yoroi was originally created and launched by Emurgo. The application entered the cryptographic marketplace as the very first open-source light wallet designed specifically to allow everyday network participants to interact seamlessly with the distributed ledger of Cardano.
The remediation process remains underway with blockchain analysis firms and digital forensics investigators tracing the stolen assets. The SecondFi team has not disclosed an exact timeline for the publication of their finalized technical audit or the user reimbursement process.
This article is for informational purposes only and does not constitute financial advice.
