SecondFi, the wallet provider in the Cardano ecosystem, has initiated the refund process for users affected by automated attacks that occurred between June 21 and 23. The company announced that the final balance image was received on June 26 and the refund transactions will be carried out through this record. SecondFi was previously known as Yoroi Wallet.
Source of vulnerability
According to the company’s investigation, the vulnerability used in the attack was caused by an error in the wallet creation software. According to the description, the problem arose due to a deterministic nonce derivation error in the software signer. This bug allowed attackers to recreate private keys from public data on-chain.
Mini dictionary: Nonce is a one-time number used in digital signature generation. A predictable or incorrect derivation of this value can lead to the disclosure of the private key in some signature schemes.
SecondFi reported that the wallet drain operations were carried out by two separate actors. According to the statement dated June 25, the first attacker targeted 171 wallets in two waves. The second attacker withdrew assets from 203 wallets in a separate scan.
SecondFi stated that 4.02 million ADAs related to the attack are currently kept in a single collection wallet and that this address is under monitoring.
Warnings to users
The company asked affected users not to move their recovery phrases to another Cardano wallet. Accordingly, the risk arises directly from the address-level keys, not from the application used. Therefore, reusing the same recovery statement in another software does not eliminate the problem.
In the guidance dated June 26, it was stated that every transaction signed from an infected address leaks enough information to the attackers to derive the private key. The company also emphasized that staking rewards should not be claimed. The reason given was the possibility that attackers could target the remaining assets by monitoring new transactions on the mempool.
Stating that the keys in the affected addresses continue to be exposed, the company warned that moving them to a different wallet will not provide protection.
Refund fund and current situation
SecondFi and its umbrella organization EMURGO have secured approximately 129 million ADA under emergency containment measures. EMURGO is known as one of the institutions operating in the field of infrastructure and commercial development in the Cardano ecosystem. The company noted that these assets will be kept until recovery operations are completed.
In addition, it was announced that a separate reimbursement fund was being worked on to compensate affected users. SecondFi stated that normal operations will not begin until the systems are inspected by independent security companies and approved for reactivation. While the company remains in maintenance mode for now, users can apply through the official support channel.
ADA price is trading at approximately $0.148 at the time of writing. This level indicated an increase of over 3 percent in the last 24 hours. The asset was traded at around $0.15 after the attack, and decreased by approximately 2.9 percent in the first 24 hours when the incident was made public. The token has lost more than 54 percent of its value since the beginning of the year, compared to its $0.42 level at the beginning of 2026.
