SecondFi Cardano Wallet Exploit Traced to Address-Level Flaw, Funds Being Secured

Cardano based wallet SecondFi has traced a recent exploit to an address level vulnerability in its wallet generation software, confirming attackers drained funds from 374 user addresses.

The platform said it triggered emergency measures that secured roughly 129 million ADA, which is now being transferred to an independent third party custodian and held for affected users pending verification. Initial estimates put total losses at around 16 million ADA, or $2.4 million.

What Actually Went Wrong

According to Mitchell Amador, CEO of security firm Immunefi, SecondFi’s wallet software exposed the private keys it generated. The blockchain itself was not compromised — the problem was in the code that creates the keys, which he described as the part that rarely gets audited like a smart contract.

SecondFi has warned users not to restore their recovery phrases into new Cardano wallets, saying that migrating to another platform does not remove the risk.

Hoskinson Distances IOG From the Incident

Cardano founder Charles Hoskinson was quick to clarify that IOG had no involvement. SecondFi, formerly known as Yoroi wallet, rebranded in April 2026 and was originally developed by Emurgo — not IOG.

“We didn’t write the code and we’re not connected to it,” Hoskinson said. IOG’s incident response team has been in contact with SecondFi since Monday, and a full independent security audit has been requested.