SecondFi exploit drains over $20M from Cardano users as wallet key generation flaw exposed

A security vulnerability in SecondFi, the Cardano wallet formerly known as Yoroi, has exposed the private keys of user wallets and drained millions in crypto assets. The platform disclosed the exploit on June 23, immediately suspending all services and urging users to migrate their funds to new wallets.

What happened and how bad is it

The vulnerability sits in SecondFi’s web wallet generation software, which allowed unauthorized access to the private keys of certain users’ wallets. Approximately 178 wallets were directly affected in the initial assessment, with confirmed losses of around 16 million ADA, valued at roughly $2.4 million, plus additional unspecified tokens and NFTs.

But the initial damage tally may only be the opening act. Blockchain security firm SlowMist conducted its own evaluation and estimated that total potential losses could exceed $20 million, potentially encompassing up to 129 million ADA. The gap between the confirmed $2.4 million and SlowMist’s $20 million-plus figure suggests that many compromised wallets may not yet have been drained, but remain vulnerable.

SecondFi responded by freezing user balances and entering maintenance mode. The platform, which serves over 1 million users, has issued warnings that any wallet generated through its compromised software may remain at risk. Users were told, in no uncertain terms, to move their assets to new wallets immediately.

No compensation timeline has been disclosed. No detailed audit results have been released.

From Yoroi to SecondFi: a rebrand with baggage

SecondFi rebranded from Yoroi in April 2026. Yoroi was one of the most widely used light wallets in the Cardano ecosystem, developed by Emurgo, one of the three founding entities behind Cardano. The wallet had been a staple for ADA holders who wanted something lighter than running a full node but still wanted self-custody.

To make matters worse, security researchers have flagged a wave of secondary scams targeting affected users. Scammers are impersonating SecondFi support channels, offering fake recovery tools, and attempting to harvest credentials from panicked users looking for help.

What this means for Cardano investors

For ADA holders, the immediate action item is straightforward: if you’ve ever used SecondFi or Yoroi’s web wallet, generate new keys using a different wallet provider and transfer your funds.

One final thing worth watching: whether Emurgo, SecondFi’s parent organization and a Cardano founding entity, steps in with financial resources to make affected users whole. The organization’s response, or lack thereof, will signal a lot about how the Cardano ecosystem handles accountability when its own infrastructure fails its users.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.