SecondFi Exploit: Cardano’s $ADA Recovery Fund Shows Where Wallet Risk Still Lives
SecondFi, formerly Yoroi Wallet, has completed its final balance snapshot for 374 wallets affected by a Cardano key exploit between June 21 and 23. That starts the refund process. But it also says the quiet part out loud: crypto does not always fail because someone clicks a fake link. Sometimes the failure is already inside the software.
The company said on June 26 that the snapshot was the first step toward refunding users. The bug was a deterministic nonce derivation error in its wallet generation software. In plain English, attackers could rebuild private keys from public on-chain data. Bad bug. Worse timing. Most wallet safety guides focus on phishing, seed phrases, and suspicious signatures. That’s only half right. This was not a loud bridge exploit or a scam popup; it was a cryptographic mistake sitting deep enough in the stack that normal users had almost no way to see it coming.
SecondFi’s investigation found two separate actors behind the wallet drains. One attacker hit 171 wallets in two waves. A second drained 203 wallets in a separate sweep, according to the company’s June 25 disclosure. Right now, 4.02 million $ADA tied to the exploit sits in one collection wallet. SecondFi says it is watching that wallet and working with law enforcement and Cardano ecosystem partners to trace the stolen funds and limit where they can move. Useful? Yes. Complete comfort? No.
SecondFi also told affected users not to restore their recovery phrases into another Cardano wallet. The reason is blunt: the keys are already exposed. Moving the same phrase into different software does not repair an address-level failure. According to SecondFi’s June 26 guidance, every transaction signed by an affected address leaked enough information for attackers to derive that address’s private key. The company also warned users not to claim staking rewards, since attackers watching the mempool could react to fresh transactions from compromised addresses. My take: I would leave those addresses alone unless SecondFi gives a specific instruction that leaves no room for guessing.
The market reaction was calmer than I expected. $ADA traded around $0.15 after the exploit became public, down about 2.9% over the next 24 hours. Compare that with Mt. Gox: when the hack became widely known in early 2014, Bitcoin fell from above $800 to below $500 within weeks, a drop of more than 37%. $ADA’s smaller move, with the token recently around $0.148 after rising more than 3% over 24 hours, suggests traders did not treat this as a Cardano-ending event. Or maybe the market is just numb now. Still, the backdrop matters. $ADA was already down more than 54% year to date from $0.42 at the start of 2026, so this landed on an already weak chart.
SecondFi and EMURGO, its parent entity, have secured about 129 million $ADA through emergency containment measures. Those funds are being held while recovery work continues. The refund fund matters for the 374 affected wallets, obviously, but I would not call that the real finish line. The bigger test is outside review. SecondFi says normal operations will stay paused until external security firms audit its systems and approve them. For now, the service remains in maintenance mode, though users can start submitting claims through the official support portal. Claims first. Audit next. Trust later.
What this means
The SecondFi incident shows that crypto security still breaks in places users rarely see. A deterministic nonce derivation error is not something the average wallet user can detect. Why does this matter? Because users are constantly told to guard seed phrases, avoid fake links, and check URLs, yet none of that helps when the wallet’s own cryptographic plumbing leaks private keys during normal transactions.
For traders, the move in $ADA was contained. That does not mean the risk was small. Counter to the usual advice, switching wallet apps is not always a fix; if the address-level key material is compromised, the interface is just a different window on the same problem. We have seen this misconception come up in wallet incidents before: people treat the app as the security boundary. It is not. The wallet interface is only the part users can see.
Investors should now watch how quickly SecondFi pays claims and how cleanly it brings services back online. The 4.02 million $ADA in the collection wallet and the 129 million $ADA secured through containment are large enough to matter. Refunds will show whether the recovery fund works outside a company statement. Law enforcement updates matter too, especially if investigators can trace the two attackers or block movement of stolen assets. Is this overkill for one wallet incident? No. Before SecondFi resumes normal operations, the external audit results will probably matter more than anything the company says about itself.