SecondFi traces Cardano exploit to address-level issue, secures 129M ADA
In brief
- SecondFi identified the exploit's root cause as an address-level issue affecting private-key generation during transaction signing.
- 16 million ADA ($2.4M) drained across 374 addresses; 129 million ADA secured through emergency measures.
- Cardano founder Charles Hoskinson clarified SecondFi is not an IOG product and has no business relationship with Input Output Global.
- SecondFi advised users not to restore recovery phrases into new wallets, as migration does not mitigate the exploit risk.
The Exploit and Recovery Effort
SecondFi estimated that around 16 million ADA, or $2.4 million, was affected across 374 addresses. SecondFi on Wednesday confirmed it had identified the root cause of the exploit and is now engaging with Cardano ecosystem platforms and blockchain investigators to trace and recover stolen funds.
The company has moved quickly on containment. SecondFi secured roughly 129 million ADA through emergency measures, which is being transferred to an independent third-party custodian for affected users. However, the platform has advised users not to migrate their wallets elsewhere. Recovery to another platform or wallet does not mitigate the risk, SecondFi said, advising users not to restore their recovery phrases into new Cardano wallets.
The Technical Issue
SecondFi's wallet software exposed the private keys it generated, according to Mitchell Amador, CEO of security company Immunefi. The vulnerability sits in a part of the infrastructure that rarely receives the same scrutiny as on-chain smart contracts. Amador noted that the code generating keys is the "part nobody audits like a contract," highlighting a blind spot in how wallet software is reviewed.
This shift reflects a broader trend. Attackers have increasingly shifted focus toward infrastructure that creates or stores crypto keys rather than blockchain protocols themselves, moving away from attempts to exploit consensus mechanisms or smart contracts.
SecondFi's Background and IOG Clarification
SecondFi is a self-custodial platform built on Cardano that rebranded from the Yoroi wallet in April 2026. Yoroi was developed by Emurgo, which describes itself as the "for-profit arm of Cardano," and was launched as the first open-source light wallet for the Cardano blockchain.
Cardano founder Charles Hoskinson has been clear about the distinction. Hoskinson said SecondFi is not an Input Output Global product and stressed that there is no ownership, control, or business relationship between the wallet and IOG. IOG's incident response team has been in contact with SecondFi since Monday and the platform requested an independent security audit.
