Noah Allen
The SecondFi crypto hack, disclosed on June 23, 2026, exposed a critical flaw in the Cardano wallet platform's native web wallet generation software, putting an estimated 129 million ADA at risk. Loss estimates range from roughly $2.4 million to more than $20 million, and no stolen funds have been recovered.
At a Glance
- SecondFi revealed a vulnerability in its Cardano web wallet generation software on June 23, 2026
- Blockchain security firm SlowMist estimates losses could exceed $20 million, involving more than 129 million ADA
- SecondFi's own preliminary figure is roughly 16 million ADA, worth about $2.4 million at current prices
- Around 178 wallets have been flagged by on-chain trackers, with suspicious activity concentrated June 21 to 22
- ADA is trading near $0.15, down about 12% over the past seven days and close to multi-year lows
What Broke and Why It Matters
Most crypto security incidents trace back to smart contract bugs or phishing attacks. The SecondFi breach is neither. The flaw lived inside the software that generates wallets and derives private keys, meaning every wallet created through that process was potentially compromised from birth, regardless of how carefully users safeguarded their own copies.
Blink Labs, a Cardano infrastructure firm, put it plainly: any wallet created through the affected flow should be treated as unsafe, and users should migrate to a different wallet immediately. SecondFi has paused all front-end activity, entered maintenance mode, and brought in an independent blockchain security firm to review the code.
The project team confirmed the scope in its security update: "The issue was confined to our native Cardano web wallet generation software." The root cause has been isolated, the team says, though no final technical report or compensation framework has been published.
A Disputed Loss Figure
SecondFi's own on-chain analysis puts the damage at approximately 16 million ADA, around $2.4 million at press-time prices. That figure is serious but arguably manageable for a platform backed by EMURGO, the commercial arm of the Cardano ecosystem.
SlowMist's picture is far grimmer. Yu Xian, the security firm's founder and better known publicly as Cos, tracked two Cardano addresses he identified as suspected attacker wallets. His assessment: users of this wallet have likely lost over $20 million. Cos said on-chain transaction patterns indicated the attacker obtained a batch of mnemonic phrases or private keys and systematically drained wallets over many hours, targeting larger balances first before working down to smaller ones.
Why SecondFi Carries Extra Weight for Cardano
SecondFi is the direct successor to Yoroi, the self-custody wallet that EMURGO originally launched as Cardano's primary retail entry point. When EMURGO rebranded the product as SecondFi and expanded its scope to cover spending, trading, earning, and saving, it was listed in Cardano's official app catalog. This is not a peripheral third-party tool.
That institutional backing cuts both ways. The platform had credibility precisely because of its official status, and that same status amplifies the reputational damage. Ecosystem harm from wallet-layer exploits on other chains has historically been more persistent when the compromised product carried official endorsement. The Bo Shen $42 million wallet hack, which SlowMist later linked to a compromised mnemonic seed phrase, demonstrated how seed phrase exposure creates problems that outlast the initial theft.
Where ADA Stands Now
ADA was trading near $0.15 at the time of reporting, down close to 3% in 24 hours and roughly 12% over the prior seven days. The token had already slipped below $0.20 in June, and the $0.15 level represents territory last visited during the 2023 bear market trough. The hack compounds existing pressure rather than creating it from scratch.
How much further ADA falls may depend on what the independent audit concludes. If the vulnerability is confirmed as strictly confined to SecondFi's wallet generation layer and the Cardano protocol itself is untouched, recovery becomes plausible. A broader finding would extend the damage. Separately, the Van Rossem hard fork mainnet decision signals that protocol-level development is continuing independently of the wallet-layer crisis, which may matter to longer-term holders.
Frequently Asked Questions
What exactly was the SecondFi security flaw?
The vulnerability was in SecondFi's native Cardano web wallet generation software, the system responsible for creating wallets and deriving private keys. Wallets created through this process may have had their private keys exposed to the attacker, making the funds inside accessible.
How much ADA was stolen in the SecondFi hack?
SecondFi's preliminary estimate is around 16 million ADA, roughly $2.4 million. SlowMist founder Yu Xian has put the figure significantly higher, suggesting losses may exceed $20 million involving more than 129 million ADA and other tokens. The final number has not been confirmed.
Is the Cardano network itself compromised?
No evidence suggests the Cardano protocol is affected. The flaw appears to be isolated to SecondFi's application-layer wallet generation software, not Cardano's underlying blockchain infrastructure.
What should affected users do?
Blink Labs has advised anyone who generated a wallet through SecondFi's affected flow to treat that wallet as unsafe and migrate funds to a different wallet immediately. SecondFi has not yet published a compensation plan.
What Comes Next for SecondFi and ADA
The independent technical review will be the key near-term event. Around 178 wallets have been flagged as affected, suspicious transactions are concentrated in the June 21 to 22 window, and no stolen funds have been recovered. Until SecondFi publishes its full findings, the gap between the platform's $2.4 million estimate and SlowMist's $20 million-plus figure will continue to weigh on sentiment around both the project and ADA.
