TL;DR:
- A total of 16 million ADA, equivalent to about $2.4 million, were stolen from 374 electronic wallets in four separate incidents.
- The emergency containment measures applied by the platform managed to protect 129 million ADA under third-party custody.
- The internal investigation identified two groups of automated attackers who executed the funds draining between June 21 and 23, 2026.
SecondFi managed to identify the cause of the recent exploit in the Cardano wallet, an event that affected hundreds of users. The firm confirmed that the vulnerability originated from a cryptographic deterministic nonce-derivation error within its signing software, which directly exposed private keys on the blockchain.
As per our previous post:https://t.co/rZanyrVGWN
We have identified the root cause and have since rolled out a patch for all unaffected wallets. This will allow us to resume normal operations soon.
—–
Regarding affected wallets, 4 distinct draining events occurred. 3 were…
— SecondFi (@secondfiapp) June 24, 2026
The attack vector allowed hackers to mathematically reconstruct the master keys from public data of previous transactions. According to SecondFi’s official report, the problem structurally lies in the generation of addresses and not in the mobile or web application interface. Due to this technical condition, importing the recovery phrase into another ecosystem application does not solve the vulnerability of the affected accounts.
The security incident occurs just a couple of months after the platform completed its brand transition from its historic name Yoroi Wallet in April 2026. This strategic change aimed to modernize the service of the veteran light wallet backed by Emurgo. The direct financial impact of the hack caused downward pressure on the cryptocurrency market, dragging the price of ADA toward $0.14 per unit, representing one of its lowest levels in five years.
The attack mechanism and security recommendations
The company’s analysts explained that each operation signed by a vulnerable address leaked enough information for automated tools to decrypt full access. Data from allied external security firms indicate that the attackers actively monitored the network’s mempool to intercept movements. For this reason, the technical team urgently recommended that affected users refrain from withdrawing their staking rewards or moving funds independently, as such actions could trigger new automated drainings.
The fund flow analysis on the Cardano block explorer allowed investigators to segment the attackers’ operations into two distinct factions. The first criminal group managed to empty 171 wallets through two consecutive waves of transactions, while the second actor compromised 203 accounts in a parallel deployment. An approximate balance of 4.02 million ADA remains concentrated in a single collection address identified by researchers, which is already under constant monitoring by major exchanges to block its liquidation.
To mitigate the financial impact on community users, SecondFi formalized the creation of a dedicated restoration fund to reimburse the stolen balances of the 374 affected wallets. The platform will maintain its services in strict maintenance mode while independent code audits are completed. The restoration of regular web wallet operations remains conditional on the final validation of the security patch by external audit firms before the end of the current month.
