SecondFi wallet vulnerability drains $2.4M in Cardano assets from 178 users

SecondFi, the Cardano wallet formerly known as Yoroi, disclosed a security vulnerability on June 23 that allowed attackers to siphon roughly 16 million ADA from 178 user wallets. At current prices, that’s approximately $2.4 million gone, along with an undisclosed number of tokens and NFTs that were also swept from compromised accounts.

The flaw was traced to SecondFi’s web wallet generation software, which is the part of the system responsible for creating new wallets and their associated private keys.

What happened and what SecondFi is doing about it

SecondFi immediately suspended its services and entered maintenance mode after discovering the vulnerability. The company also conducted a snapshot of user balances, essentially freezing a record of what everyone held at the moment the breach was identified.

SecondFi says it has engaged a leading blockchain security firm to perform an independent review of the exploit. The company is also coordinating with several major players in the Cardano ecosystem, including Input Output Global (IOG), the Cardano Foundation, IntersectMBO, and SundaeSwap, to manage the fallout and support affected users.

No compensation timeline has been announced. No details about the security audit’s findings have been shared.

Affected users have been advised to migrate their remaining assets to alternative wallets immediately, a tacit acknowledgment that wallets generated through SecondFi’s compromised system may still be at risk.

The scam wave riding the breach

The breach has attracted a secondary threat: scammers. Reports indicate a surge in fraudulent accounts impersonating SecondFi support channels, targeting users who are already panicked and looking for help recovering funds.

SecondFi has warned users to verify any communication through official channels only.

Yoroi’s history and what this means for Cardano

SecondFi’s roots go back to Yoroi, one of the earliest and most widely used light wallets for Cardano. Developed by EMURGO, one of the three founding entities behind Cardano, Yoroi served over 1 million users and was considered a trusted entry point for ADA holders who didn’t want to run a full node. In April 2026, EMURGO rebranded Yoroi and expanded its services into a comprehensive self-custody neofinance platform that includes features for spending, trading, earning, and saving.

What this means for investors

The immediate risk for ADA holders is straightforward: if you used SecondFi to generate a wallet, your private keys may have been created through a flawed process. Even if your funds haven’t been stolen yet, the safest move is to create a new wallet through a different provider and transfer everything out.

Traders should monitor whether the stolen ADA is being moved to exchanges, which could signal impending sell pressure.

The biggest unknown is compensation. If SecondFi or its ecosystem partners step up with a credible reimbursement plan, trust damage could be contained. If affected users are left without recourse, the incident becomes a case study in why wallet key generation security matters as much as key custody itself.