June's $75.87 Million Crypto Hack Spree Reveals a Hidden Threat: Your Wallet's Math Is Broken
June 2026 saw 40 major crypto hacking incidents result in $75.87 million in losses, but the attacks weren't concentrated on a single vulnerability,instead, they targeted wallets, Layer 2 solutions, and third-party services simultaneously, exposing multiple layers of Web3 infrastructure to risk. The incidents reveal that crypto security is only as strong as its weakest link, and that link may not be where users expect it to be.
What Happened to SecondFi and Why It Matters Beyond One Wallet?
The most striking June incident involved SecondFi, the Cardano ecosystem wallet formerly known as Yoroi. Between June 21 and 23, attackers transferred approximately 16 million ADA (worth about $2.4 million at the time) from roughly 374 user addresses. What makes this breach unusual is that users didn't lose their seed phrases or passwords. Instead, the wallet's underlying signature system was broken.
According to security analysis by BlockSec, the wallet incorrectly derived the signature nonce, a cryptographic value that should remain secret, from publicly available transaction messages. This meant that every time a user signed a transaction, the public signature data posted on the blockchain contained enough information for attackers to mathematically recover the user's private key. The wallet appeared to work normally from the user's perspective, but from a cryptographic standpoint, it was leaking the keys to every address that had ever signed a transaction using the vulnerable version.
This incident highlights a critical principle: wallet security depends not just on keeping your seed phrase safe, but on whether the wallet's core cryptographic components are implemented correctly and can be reviewed by the public. Open-source wallet code, like imToken's TokenCore, allows security researchers and developers to examine the signing logic and catch these kinds of flaws before they cause damage.
How to Protect Your Assets After a Wallet Vulnerability Is Discovered?
- Download from Official Sources Only: Always get your wallet from the official website or official app store, and install security updates immediately when they become available.
- Separate Hot and Cold Storage: Avoid keeping all assets in a single everyday wallet that connects to decentralized applications (DApps). Large or long-term holdings should be stored in a hardware wallet or separate cold wallet, isolated from hot wallets used for frequent transactions.
- Generate a New Wallet, Don't Just Re-import: If a wallet's key generation or signature system is compromised, simply importing your original seed phrase into another wallet won't fix the problem, because the previously exposed addresses and private keys remain vulnerable. The safer approach is to generate a completely new wallet with a new seed phrase and migrate your assets to fresh addresses that have never been signed with the vulnerable version.
Why Are Layer 2 Networks Becoming Hacker Targets?
Beyond wallets, Layer 2 (L2) networks, which are blockchain systems designed to process transactions faster and cheaper than the main Ethereum network, faced multiple attacks in June. These networks are not simply "cheaper Ethereum",they are complex systems with their own trust assumptions and potential weak points.
On June 14 and 18, two older Aztec rollup deployments were successfully attacked, resulting in combined losses of approximately $4.35 million. Aztec is a zero-knowledge (ZK) rollup, a type of L2 that uses advanced cryptography to prove transactions are valid without revealing sensitive details. In one attack, an attacker exploited an inconsistency in how the system counted transactions versus actual processed data, causing the system to register a deposit internally while skipping the balance deduction on the main Ethereum network. In another, a missing constraint in the zero-knowledge proof circuit allowed attackers to generate proofs based on a forged state tree and extract assets from the Ethereum contract.
These issues cannot be caught by simply scanning code for vulnerable lines. Zero-knowledge proofs can demonstrate that a computation follows predefined rules, but only if those rules are correct and complete. If a developer forgets to constrain a critical variable, the proof may still be mathematically valid while verifying a result that doesn't match the actual settlement state.
On June 22, Taiko, another L2 network, suffered a separate attack worth approximately $1.7 million. Taiko uses SGX (Software Guard Extensions), a trusted execution environment, to verify proofs. According to BlockSec's analysis, the attacker exploited an SGX enclave signing private key that had been publicly posted to GitHub and a flaw in the on-chain verification contract that failed to reject enclaves running in DEBUG mode. This allowed the attacker to register a malicious prover as legitimate and forge an L2 state proof, causing an Ethereum contract to accept a non-existent L2 state.
What Do These Attacks Tell Us About Web3 Security Going Forward?
The June incidents reveal that Web3 security is no longer a single-point-of-failure problem. Attackers are now exploiting vulnerabilities across the entire chain of on-chain interactions: wallet signature systems, L2 proof mechanisms, and third-party service supply chains. This means that even if you use a secure hardware wallet and avoid phishing, your assets can still be at risk if the L2 network you're using has a flaw in its proof system or if a service provider's credentials are exposed.
For users, this underscores the importance of not concentrating all assets in a single system or service. For developers and protocol teams, it highlights the need for rigorous security audits not just of individual code components, but of entire systems and their interactions. The crypto fear and greed index declined during June as these attacks revealed vulnerabilities in signature systems, zero-knowledge proofs, and third-party integrations.
As Web3 infrastructure becomes more complex, the attack surface grows. The incidents of June 2026 suggest that the next frontier of crypto security is not just protecting individual private keys, but ensuring that every layer of the system, from wallet cryptography to L2 settlement logic to supply chain security, is designed and audited with the same rigor.