Cardano’s SecondFi Wallet Drained 16M ADA After Key Generation Flaw

Published by James Harris on June 24, 2026June 24, 2026

What You Need to Know

16 million ADA worth up to $20 million drained from SecondFi wallets after private key compromise.
SecondFi, built by Cardano founding entity Emurgo Labs, compromised less than two weeks after migrating from Yoroi Wallet.
Compromise traced to wallet’s key generation software, potentially affecting every private key the wallet ever produced.
Attacker’s wallet funded from Binance account, but on-chain traceability rarely results in recovered funds at this scale.

Over 16 million ADA, worth up to $20 million according to SlowMist, was drained from user wallets after private keys generated by SecondFi, formerly the Yoroi Wallet, were compromised. The attacker is still leaking exposed seeds, meaning the full damage count is not yet final.

To provide more clarity, we have identified the nature of the incident, it is at the address level. The security risk affects wallet users when a transaction is signed.

Therefore recovery to another platform or wallet does not mitigate the risk.

🚨 DO NOT restore your… https://t.co/YkjjhL7gEq
— SecondFi (@secondfiapp) June 24, 2026

What makes this worse than a typical wallet exploit is the origin of the software. SecondFi was built by Emurgo Labs, one of Cardano’s founding entities, and had just completed its migration from Yoroi Wallet on June 12, less than two weeks before the attack. The compromise appears to trace back to the wallet’s own key generation software, meaning potentially every private key the wallet ever produced is at risk, not just a subset of users who clicked a phishing link. Cardano researchers have flagged a particularly vicious mechanic: if a compromised address signs any transaction during a rescue attempt, the attacker can map it and sweep the funds before the user completes the move. This echoes the structural cruelty of the 2022 Slope wallet exploit on Solana, where seed phrases generated by a single app were silently exfiltrated, and users who tried to move funds on their own timeline often lost them anyway.

The attacker’s wallet was reportedly funded from a Binance account, which is potentially traceable, but on-chain traceability has rarely translated into recovered funds at this scale.

The timing is damaging in a way that extends beyond the immediate losses. ADA was already down more than 54% year-to-date before the exploit, sitting at $0.15 and outside the top 20 by market cap. Projects and applications had been leaving the Cardano ecosystem throughout 2026, and the network’s credibility was already under pressure. A wallet security failure originating from a founding-entity product does not just hurt current holders; it gives developers and institutional participants an additional reason to avoid building on the chain at all. Suggestions have emerged to use Cardano’s treasury, which holds 352.4 million ADA, to compensate affected users, though any such governance process would take time that victims do not have.

SecondFi has paused its frontend and is urging users to delete the app and any browser extensions immediately, moving funds to a hardware wallet where possible. The instruction not to simply restore the seed phrase in another software wallet is the single most important thing affected users need to understand: the risk travels with the key, not the app.

Source: Cardano’s worst wallet crisis yet? Users lose 16M ADA (cryptopolitan.com)