SecondFi Exploit Drains 374 Cardano Wallets, Over 16 Million ADA Stolen in Coordinated Attack

TLDR:

• The SecondFi exploit drained 374 Cardano wallets across four attack events between June 21–23, 2026.
• Approximately 16 million ADA worth $2.4M was stolen by two identified attackers across three automated waves.
• Emergency rescue efforts secured around 129 million ADA, with a dedicated restoration fund already established.
• Affected wallets are permanently compromised; users must avoid independent seed phrase restoration or asset migration.
  

Cardano’s largest wallet provider, SecondFi, suffered a major security breach between June 21 and 23, 2026. The SecondFi exploit drained funds from 374 wallet addresses across four separate attack events.

Approximately 16 million ADA, valued at around $2.4 million, was compromised. EMURGO, a co-founding entity of Cardano, has since stepped forward with a formal incident update, outlining recovery measures and committing to full reimbursement for all affected users.

Attack Scope and Attacker Identification

The SecondFi exploit unfolded in three automated waves, each targeting multiple wallets in rapid succession. Forensic analysis identified two distinct threat actors responsible for the breach. Attacker A operated across Waves 1 and 2, draining 171 wallets through coordinated automated batches.

SecondFi publicly disclosed the attacker addresses for full community transparency. Attacker A used three collection wallets and a central fee address, all linked to a single stake key. Attacker B operated independently in Wave 3, sweeping 203 additional wallets in a separate automated run.

According to SecondFi’s post on X, over 4 million ADA linked to Attacker B remains in one flagged collection address.

That address is currently under active monitoring and investigation by the team. Law enforcement and relevant authorities have been notified as part of the formal incident response.

The speed and coordination of the attack pointed to a premeditated, multi-actor operation. Security analysts described it as a highly sophisticated enterprise rather than an opportunistic breach.

Emergency Response and Asset Recovery

Following the initial discovery on June 22nd, SecondFi activated emergency response protocols immediately. Engineering teams isolated the exploit vector and deployed remediation measures to prevent further exposure. The platform was moved into maintenance mode as a containment step.

A leading external security firm, along with additional independent partners, was brought in to conduct a full code-level audit.

SecondFi confirmed it will not resume normal operations until those reviews are complete. That position reflects a deliberate effort to prioritize user safety over operational speed.

Through emergency rescue measures, SecondFi successfully secured approximately 129 million ADA as part of broader containment efforts.

All recovered assets are currently held securely while the recovery process continues. A dedicated restoration fund has already been established to support reimbursement.

EMURGO confirmed in its statement that wallet address mapping has been completed, allowing recovery to move into the next phase. Affected users will receive direct guidance through official channels on the steps required to safely restore access.

Critical Warnings for Affected Users

SecondFi issued a firm security warning to all affected wallet holders following the breach. Compromised wallets must be treated as permanently compromised at the address and private key level. Simply restoring a seed phrase in another wallet application will not eliminate the security risk.

Users are strongly advised not to independently move assets or attempt to migrate compromised wallets on their own.

Taking unilateral action could expose them to further loss or secondary exploits. The official recovery process is the only safe path forward for affected accounts.

SecondFi and EMURGO confirmed that a structured, verification-based claim process is being developed. While that process may take additional time, it is designed to ensure accuracy and security throughout. Affected users are directed to follow @secondfiapp on X for all official updates.

The incident drew a coordinated response from across the Cardano ecosystem. Founding entities, partners, and community members mobilized quickly to support containment efforts. That collective response helped limit broader network risk during a critical period.