SecondFi Traces Cardano Wallet Exploit to Address-Level Issue

A vulnerability in Cardano-based wallet SecondFi allowed attackers to drain user funds, resulting in major losses.

SecondFi on Wednesday confirmed it had identified the root cause of the exploit and is now engaging with Cardano ecosystem platforms and blockchain investigators to address the issue.

The company also said it triggered emergency measures that secured roughly 129 million ADA, which is being transferred to an independent third-party custodian and held for affected users pending verification.

The platform on Tuesday estimated that around 16 million ADA, or $2.4 million, was affected across 374 addresses.

Cardano founder Charles Hoskinson said SecondFi is not an Input Output Global product and stressed that there is no ownership, control, or business relationship between the wallet and IOG.

SecondFi traces exploit to an address-level issue

SecondFi has not released a comprehensive post-mortem as of publication, but has issued multiple statements confirming a security breach caused by a vulnerability in its Cardano web wallet generation software.

It said the root cause of the incident was an issue at the address level that affects users when they sign transactions.

Source: SecondFi

“SecondFi’s wallet software exposed the private keys it generated,” Mitchell Amador, CEO of security company Immunefi, told Cointelegraph.

Amador said that while the blockchain remained secure, the code that generates the keys is the “part nobody audits like a contract.” He added that attackers have increasingly shifted focus toward infrastructure that creates or stores crypto keys rather than blockchain protocols.

Related: AI models led to a ‘vulnerability apocalypse’ in crypto security: Immunefi CEO

“Recovery to another platform or wallet does not mitigate the risk,” SecondFi said, advising users not to restore their recovery phrases into new Cardano wallets. The guidance differed from recommendations by some community members, who urged users to migrate affected wallets and move funds to newly created addresses.

“We didn’t write the code,” says Hoskinson

SecondFi is a self-custodial platform built on Cardano that rebranded from the Yoroi wallet in April 2026. Yoroi was developed by Emurgo, which describes itself as the “for-profit arm of Cardano,” and was launched as the first open-source light wallet for the Cardano blockchain.

Hoskinson said IOG’s incident response team has been in contact with SecondFi since Monday and that the platform requested an independent security audit.

Source: Charles Hoskinson

In a Tuesday video posted on X, Hoskinson stressed that IOG “is not Emurgo,” adding that the company has no influence over Emurgo and cannot speak on its behalf regarding the exploit.

“We didn’t write the code and we’re not connected to it,” he said.

Magazine: Japanese pension fund tips 1% in crypto, G7 urges action on NK hackers: Asia Express