← Back to archive
Hack·resolved

SecondFi Cardano Wallet Exploit and Address-Level Flaw

SecondFi attributed a Cardano wallet exploit to an address-level defect in wallet generation and signing, reporting 374 affected addresses, about 16 million ADA impacted, and emergency custody of roughly 129 million ADA.

Abstract

On 2026-06-24, SecondFi stated that it had identified the root cause of a Cardano wallet exploit as an address-level issue in its wallet software. The company said the flaw exposed generated private keys and affected users when signing transactions, after attackers drained funds from 374 addresses. SecondFi estimated that around 16 million ADA, or $2.4 million, was affected, and further stated that emergency measures secured roughly 129 million ADA for affected users pending verification. The incident therefore appears to have combined key exposure with emergency custody to limit further loss. As of 2026-06-24, the mechanism described by SecondFi has been publicly stated, but attacker attribution, transaction-level evidence, and the final recovery outcome have not been established in the available record.

Methodology

This account was derived from the structured incident brief, which in turn relied on public reporting that attributed key factual claims to SecondFi’s own statements. The review prioritized directly attributed claims concerning mechanism, affected addresses, estimated losses, and emergency custody actions. Timeline entries were used to reconstruct sequence, while comparative analytics from the archive were used only for contextual assessment. Because no court filings, audit report, transaction hash set, or completed technical post-mortem were provided in the dossier, claims about causation, attribution, and recovery were limited to what the cited public record expressly stated.

The incident concerned a compromise affecting SecondFi’s Cardano wallet software, which the company said was rooted in an address-level flaw rather than a generalized network failure on Cardano itself.[1][6] Public reporting attributed to SecondFi stated that attackers drained funds from 374 addresses and that the platform estimated around 16 million ADA, or $2.4 million, was affected.[2][4] In the same reporting, the company described the problem as one arising within its own wallet generation and signing flow, placing the operative failure inside wallet software rather than in the underlying chain.[1][6]

The earliest pivotal public disclosure in the present record was SecondFi’s estimate, dated 2026-06-23 in the timeline, that around 16 million ADA, or $2.4 million, had been affected across 374 addresses.[4] That estimate established the initial scale of the event in both token and dollar terms and tied the losses to a defined set of addresses rather than to a broad protocol-wide malfunction.[2][4] At that stage, the available record did not include transaction hashes, a named attacker, or a technical write-up sufficient to independently reconstruct the exploit path, but it did establish that the platform itself was treating the event as a wallet compromise with user balances already drained from identified addresses.[2][4]

SecondFi’s subsequent explanation, dated 2026-06-24 in the timeline, was that the incident had been traced to an address-level issue in its Cardano wallet software.[1] The company further stated that its wallet software exposed the private keys it generated.[5] In practical terms, that description placed the principal mechanism in the category of private key compromise: if keys generated by the wallet became exposed, an attacker with access to those keys could authorize transfers from affected addresses without needing to compromise the Cardano network itself.[5] The public account did not specify whether the exposure arose during key generation, storage, derivation, display, logging, or another implementation detail, but the company’s own wording directly connected the exploit to exposed private keys produced by the wallet software.[5]

SecondFi also stated that the root cause was an issue at the address level that affects users when they sign transactions.[6] That statement narrowed the operational trigger further: according to the company, the vulnerability manifested in connection with transaction signing rather than only at wallet creation or passive storage.[6] The available record therefore suggests a sequence in which users interacted with the wallet’s signing process, the software’s address-level defect exposed or otherwise compromised the relevant private keys, and attackers then used that access to drain funds from the affected addresses.[2][5][6] Because no completed technical post-mortem has been included in the dossier, that sequence remains dependent on SecondFi’s own description rather than on independently published forensic evidence.[1][5][6]

After identifying the issue, SecondFi said it triggered emergency measures that secured roughly 129 million ADA for affected users pending verification.[3] This was materially larger than the platform’s estimate of around 16 million ADA affected by the exploit itself, indicating that the emergency response was framed as a protective custody action extending beyond the balances already reported as drained.[3][4] The record did not establish the exact operational form of that custody, the criteria used to determine which users were included, or the chain-level addresses into which the funds were moved.[3] It did, however, show that SecondFi represented the intervention as a containment measure undertaken while user verification remained pending.[3]

The same timeline also recorded a user-facing warning from SecondFi not to restore recovery phrases into new Cardano wallets.[6] Although the dossier did not provide the full text of that warning beyond the timeline summary, its inclusion is consistent with the company’s statement that generated private keys had been exposed.[5][6] If a seed phrase or derived key material had already been compromised, migrating it into a new wallet interface would not by itself remediate the underlying exposure. The warning therefore functioned as a containment measure within the company’s stated theory of the incident, even though the present record did not include a full remediation protocol, a patch note, or a formal incident report describing how unaffected users were to proceed.[5][6]

The documented consequences were limited but material. SecondFi estimated that around 16 million ADA, or $2.4 million, was affected across 374 addresses, and it stated that emergency measures secured roughly 129 million ADA pending verification for affected users.[2][3][4] The incident also prompted public distancing by Cardano founder Charles Hoskinson, who was described in the dossier as stating that Input Output Global was not connected to the wallet and had no ownership, control, or business relationship with it; however, the present brief did not include that statement as a separately citable body claim and therefore it remains contextual rather than central to the incident mechanism. As of 2026-06-24, the available record documented the platform’s stated cause, the reported number of affected addresses, the estimated amount affected, and the emergency custody action, but it did not establish final recovery, legal proceedings, or attacker attribution.[1][2][3][4][5][6]

Discussion

In archive context, this event ranked #42 of 54 by severity across the full catalogue and #24 of 28 within the hack category, placing it toward the lower end of losses recorded by CryptoMortem despite the operational seriousness of a wallet-level key exposure. The comparative signal lies less in absolute size than in mechanism. The attack vector, classified here as private_key_compromise, had 12 prior events in the archive with cumulative $3.02B affected and mean recovery 68.9%; 5 were fully recovered and 3 had low/no recovery. That distribution indicates a historically mixed resolution profile once signing authority or key material has been exposed. Against the broader hack set, there were 12 other records with mean recovery 91.6% and mean resolution 465 days, but this incident had not yet established a recovery percentage, so it cannot presently be placed on that axis beyond noting that resolution often extends well beyond initial disclosure. Pattern recurrence is also notable. The private_key_compromise pattern had been observed in 3 prior events, all 3 in the past 12 months. The related pattern single_point_of_control had appeared in 29 prior events, including 13 in the past 12 months, while absence_of_withdrawal_monitoring had appeared in 13 prior events, including 8 in the past 12 months. Within an archive of 55 total events, with 25 in the 12 months preceding this incident, the case fit a recurrent structure in which wallet-side control failures and delayed detection remained more common than protocol-layer compromise.

Comparative analytics

All comparisons computed against the 55-event CryptoMortem archive at time of publication.

  • Severity rank across full archive: #42 of 54 (24.1th percentile).
  • Severity rank within same event type: #24 of 28.
  • Attack vector "Private Key Compromise": 12 prior events in archive, cumulative $3.02B, mean recovery 68.9%; 5 fully recovered, 3 with low or no recovery.
  • Event type "Hack": 12 other records in archive, mean recovery 91.6%, mean resolution 465 days.
  • Pattern "Private Key Compromise": observed in 3 prior events (3 in the past 12 months).
  • Pattern "Single Point Of Control": observed in 29 prior events (13 in the past 12 months).
  • Pattern "Absence Of Withdrawal Monitoring": observed in 13 prior events (8 in the past 12 months).
  • Archive context: 55 events catalogued; 25 in the 12 months preceding this incident.

Limitations

The present record was narrow. The dossier did not provide a transaction hash set, attacker attribution, or a completed technical post-mortem, so the exploit path could not be independently reconstructed from primary forensic material. It also did not establish whether any funds were permanently lost as opposed to temporarily held in emergency custody for affected users. No recovery percentage was provided. The public explanation of an address-level issue that exposed generated private keys was attributable to SecondFi, but the available materials did not include an audit report, source-code diff, or incident-response memorandum sufficient to verify the exact implementation failure. As of 2026-06-24, the final disposition of the affected and secured ADA remained unresolved in the dossier.

Timeline

  1. SecondFi estimated losses

    The platform said around 16 million ADA, or $2.4 million, was affected across 374 addresses.

    source →
  2. SecondFi confirmed root cause

    SecondFi said it identified the root cause as an address-level issue in its Cardano wallet generation software.

    source →
  3. Emergency custody secured funds

    SecondFi said emergency measures secured roughly 129 million ADA for affected users pending verification.

    source →
  4. SecondFi warned against restoring phrases

    The company advised users not to restore recovery phrases into new Cardano wallets.

    source →
  5. SecondFi patches exploit after $2.4 million drained

    SecondFi said three external attacks exploited a flaw in its proprietary wallet generation software, draining 16 million ADA from 374 wallets. The team also said it secured a further 129 million ADA before attackers could reach it and routed those funds to a third-party custodian.

    source →
  6. SecondFi traces exploit to an address-level issue

    SecondFi said it identified the root cause of the Cardano wallet exploit as an address-level issue affecting users when they sign transactions. The company said emergency measures secured roughly 129 million ADA, now being transferred to an independent third-party custodian for affected users pending verification.

    source →
  7. SecondFi expects asset returns to begin in two weeks

    SecondFi says it has completed forensic investigations, taken a final balance snapshot, and identified a recovery path for users affected by the Cardano wallet exploit. The company plans one week of solution building followed by another week of testing before beginning to return assets, while warning users to ignore fraudulent recovery messages.

    source →

Who was involved

Structural failures identified

Sources

  1. SecondFi Traces Cardano Wallet Exploit to Address-Level Issue, Cointelegraph — Incident summary, estimated losses, affected addresses, emergency custody, and statements about the wallet flaw