Key Takeaways:
SecondFi, the Cardano wallet formerly known as Yoroi, lost at least 16 million ADA after attackers exploited a flaw in its wallet generation software on June 23.
"The root cause has been traced to an issue in our proprietary Cardano wallet generation software," SecondFi said in a statement, adding that it had frozen account balances and entered maintenance mode.
Blockchain security firm SlowMist estimated total damages could exceed $20 million, potentially affecting as many as 129 million ADA tokens, according to founder Yu Xian, also known as Cos. The gap between the initial 16 million ADA estimate and SlowMist's projection reflects the difficulty of assessing wallet-related exploits where attackers may retain access to private-key material. SecondFi identified approximately 178 wallets as directly compromised.
The breach strikes at the heart of Cardano's ecosystem credibility. Emurgo, one of the three founding entities behind Cardano, originally built Yoroi before the rebrand to SecondFi in April 2026. With more than 1 million users now advised to treat their wallets as vulnerable, the incident raises questions about whether Emurgo will assume responsibility for compensation — a question the organization has not yet addressed.
SecondFi traced the vulnerability to its web-based wallet generation system, which handles the creation of new wallets and private keys. A defect in that process allowed attackers to generate or access private keys tied to certain wallets, the team said. Hardware wallets and seed phrases not linked to the compromised generation process remained unaffected.
The team has taken a full snapshot of balances and is working with IOG, the Cardano Foundation, IntersectMBO and SundaeSwap on a coordinated response. SecondFi is also finalizing a technical review with an external blockchain security firm to confirm the scope of the damage.
In the hours following the breach, fraudulent actors began mimicking official SecondFi communication channels, distributing counterfeit recovery utilities to harvest credentials from concerned users, security analysts said.
For the broader Cardano ecosystem, the incident is a reminder that chain-level security alone is insufficient if application-layer tools expose users to operational risks. SecondFi has not disclosed when normal operations will resume or whether affected users will receive compensation.
This article is for informational purposes only and does not constitute investment advice.
