A vulnerability in SecondFi's wallet generation software allowed attackers to access private key material and drain approximately 16 million ADA (worth roughly $2.4 million) from 374 wallets between June 21 and June 23. EMURGO, one of Cardano's three founding entities, announced on June 27 that it has identified a clear recovery solution and is moving into execution, with an estimated two-week timeline before affected users can begin receiving their assets back.

What Exactly Happened in the SecondFi Breach?

SecondFi, which evolved from EMURGO's long-standing Yoroi Wallet in April 2026, fell victim to an application-level security failure that had nothing to do with Cardano's underlying blockchain. The exploit targeted the wallet generation software itself, the component responsible for creating wallets and managing the private keys that prove ownership of funds. Four separate wallet-draining events occurred during the three-day window, with three attributed to external threat actors and one emergency intervention by the SecondFi team itself, which secured approximately 129 million ADA by moving funds to a third-party custodian as a precautionary measure.

Security researcher Yu Xian from SlowMist flagged a potentially much larger picture than the confirmed 16 million ADA loss, estimating that user losses could ultimately exceed $20 million when accounting for the full scope of compromised wallets and other tokens held within them. However, EMURGO's forensic investigations have now completed wallet balance validation and established what the company describes as the safest possible recovery pathway.

How Will EMURGO Return the Stolen Funds?

The recovery process is being split into two distinct phases. During the first week, EMURGO's engineering and security teams will build the recovery tool itself. The second week will focus on thorough testing and security reviews before any assets are moved back to users. EMURGO has emphasized that while urgency is a priority, the process cannot be rushed, and safety remains the top concern. The two-week estimate may still be adjusted depending on progress and is not a fixed commitment.

Cardano founder Charles Hoskinson revealed that he is experimenting with a recovery smart contract that would use zero-knowledge proofs (a cryptographic technique that proves ownership without revealing sensitive information) tied to wallet recovery phrases to verify ownership and distribute assets from a recovery pool. This approach aims to ensure that only legitimate wallet owners can claim their funds.

Steps to Protect Yourself If You Were Affected

• Submit a Support Ticket: Affected users should submit a support ticket through the official SecondFi support page at support.secondfi.io and take no further independent action until EMURGO provides official recovery instructions.
• Avoid Fraudulent Communications: EMURGO has warned that malicious actors are now circulating fraudulent communications impersonating SecondFi, attempting to exploit panicked users. SecondFi will never request private keys, seed phrases, wallet credentials, or direct wallet access under any circumstances.
• Do Not Migrate Assets Independently: EMURGO specifically warned that independently migrating assets or restoring recovery phrases into other wallets could significantly complicate the secure return of funds, as the recovery process is being designed around existing wallet states.

The official SecondFi account on X (formerly Twitter) remains the primary channel for communications. EMURGO has committed to providing proactive updates at every stage of the recovery process.

Why This Matters Beyond Cardano

The SecondFi breach struck at the foundation of self-custody by targeting the very software that generated users' private keys, making it one of the most consequential wallet-layer exploits in Cardano's history. This incident underscores a broader vulnerability in the cryptocurrency ecosystem: even when a blockchain's protocol and consensus mechanism are secure, the applications built on top of them can introduce critical security gaps.

Cross-chain bridges and wallet software represent some of the most complex and vulnerable components of decentralized finance (DeFi). According to recent analysis, bridges have been the target of some of the most catastrophic exploits in crypto history, with billions of dollars stolen via bridge hacks. The vulnerability stems from the fact that bridges operate via highly complex smart contracts deployed across entirely different execution environments, creating fertile ground for bugs and security flaws.

"The Cardano blockchain itself was not compromised. This was an application-level security failure confined to SecondFi, and the network's protocol, cryptographic foundations, and node infrastructure remain fully intact," stated Charles Hoskinson, Cardano founder.

Charles Hoskinson, Founder of Cardano

Hoskinson also expressed sympathy for the victims, acknowledging that some users may have lost most or all of their ADA holdings. He described the incident as an unfortunate reality of the cryptocurrency industry and noted his own personal losses during the 2022 Nomad Bridge exploit.

The exploit has added significant pressure to ADA, which was already trading near multi-year lows. At the time of the breach, ADA was hovering around $0.15, and the token has seen a decline of roughly 8% over the past seven days. The broader market context has not helped, with the overall cryptocurrency market also trending downward during the same period.

The incident has intensified scrutiny on EMURGO given its position as a founding entity of Cardano. SecondFi was listed in Cardano's official app catalog and carried the institutional weight of the Yoroi brand, which had served as the ecosystem's primary lightweight wallet for nearly eight years before the rebrand. While the recovery announcement marks the first time EMURGO has provided a concrete timeline, several key details remain undisclosed, including the specific return dates for individual users, detailed asset-recovery amounts for each affected wallet, and the final claiming and verification methods to be used.