The Cardano ecosystem faced a large-scale security incident in which more than 16 million ADAs were withdrawn from user wallets. According to initial reports, the losses were caused by private seed expressions exposed on SecondFi, a widely used Cardano wallet. Security company SlowMist stated that the total damage could be up to $20 million.
Source of vulnerability
The focus of the attack is SecondFi, formerly known as Yoroi. The wallet developed by Emurgo Labs stood out as one of the main tools used for individual storage on the Cardano network. SecondFi occupies a critical position in the ecosystem due to its connection with Emurgo, one of the founding structures of Cardano.
According to the information provided, SecondFi completed the transition process from Yoroi on June 12. It was stated that the attack occurred only a few days later. This raised concerns that the vulnerability may not have come from a third-party service, but directly from the infrastructure of one of the ecosystem’s core developers.
The SecondFi team announced that the incident occurred at the address level, and the risk arises especially when a transaction is signed. The team emphasized that moving seed deposits to another wallet will not solve the problem and that users should transfer their assets to a different wallet type as soon as possible.
Warnings to users
SecondFi said it was working to isolate the affected addresses. In response, the team recommended that the application and browser add-ons be removed, and that users with the appropriate means should move their assets to a hardware wallet. The company has only discontinued its front end at this point.
The researchers think the problem may not be limited to a limited number of keys. According to some analysis, all private keys generated through SecondFi may be at risk. It was reported that the company traced the exploit to its own wallet creation software.
Mini dictionary: A seed phrase is a string of words used to restore a crypto wallet. If this statement is compromised, private keys in the relevant wallet can be regenerated and assets can be moved without authorization.
Attacker’s method and on-chain findings
While users reported that they lost a significant amount of ADA, it was observed that the address used by the attacker became active in the early hours of June 24. Although it was stated that new outflows had stopped in recent hours, it was determined that the stolen Cardano NFTs were kept in a separate wallet.
On-chain researchers assess that the attacker may have already obtained the accessible key database. Accordingly, when the user signs a transaction to initiate a recovery process, the attacker can match the relevant address and drain the funds before the user. Therefore, some users only realized the loss when they tried to make a transaction.
On the other hand, researchers suggested that the attacker’s wallet was first funded from his Binance account. This detail is considered as an element that may facilitate tracing in identification investigations.
ADA price and compensation debate
Following the security incident, ADA dropped by 2.9 percent to $0.15 in the last 24 hours. The asset has lost more than 54 percent of its value since the beginning of the year, compared to its $0.42 level at the beginning of 2026. It was also reported that it went out of the top 20 crypto asset rankings.
While it was stated that there are still 352.4 million ADA in the Cardano treasury, the community began to discuss whether this resource could be used to compensate the losses of the victim wallet owners. However, there is no official decision taken in this direction.
