SecondFi completes final balance snapshot for 374 wallets hit by Cardano key exploit

Following the automated attacks that saw funds leave wallets in SecondFi, Cardano’s wallet provider formerly known as Yoroi Wallet, between June 21 and 23, affected users now have something to cheer about. 

SecondFi announced that it has taken a final balance snapshot on June 26 to begin processing refunds for affected users.

According to the company’s investigation, the vulnerability that was exploited was a flaw in its wallet generation software, specifically a deterministic nonce derivation error in its software signer that allowed attackers to reconstruct private keys from publicly available on-chain data.

Have the SecondFi attackers been identified?

According to SecondFi’s investigation, the wallet-draining campaigns were carried out by two separate actors.

One attacker compromised 171 wallets in two waves, while a second drained 203 wallets in a separate sweep, the company disclosed on June 25.

SecondFi says that it is working with law enforcement and partners across the Cardano ecosystem to trace and restrict the movement of stolen assets. Currently, 4.02 million ADA linked to the exploit are being held in a single collection wallet that is being monitored.

Will restoring a seed phrase help SecondFi’s users?

SecondFi informed affected users not to restore their recovery phrases into another Cardano wallet. Compromised keys remain exposed regardless of which software holds them because the vulnerability exists at the address level and not the wallet application layer.

Every transaction signed by an affected address leaked enough information for attackers to derive that address’s private key, according to the company’s June 26 guidance.

SecondFi also cautioned against claiming staking rewards, as it could expose funds to attackers monitoring the mempool for new transactions from compromised addresses.

Recovery fund and containment

SecondFi and its parent entity, EMURGO, have secured around 129 million ADA through emergency containment measures. Those funds are being held pending recovery operations.

Another angle that the company said it is working on is the dedicated restoration fund it set up to reimburse affected users. Also, it said normal operations will not resume until external security firms audit its systems and give the green light to bring its services back online.

For now, SecondFi remains in maintenance mode. But users can already start to submit claims through its official support portal.

ADA currently trades around $0.148, having risen by over 3% over the past 24 hours. It traded at around $0.15 following the exploit, down about 2.9% in the 24 hours after the attack became public.

The token had already fallen more than 54% year to date from $0.42 at the start of 2026.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.