SecondFi Wallet Exploit Drains 16M ADA, $20M Still at Risk

What to Know

• SecondFi said three external attacks drained 16 million ADA, worth about $2.4 million, from 374 wallets.
• The breach reportedly stemmed from a flaw in SecondFi’s proprietary wallet generation software.
• The company has rolled out a patch for users who were not affected by the exploit.
• SecondFi said it moved 129 million ADA to a third-party custodian before attackers could access those funds.
• Blockchain security firm SlowMist estimates total losses could exceed $20 million pending an independent audit.
• Users cannot fix the issue by moving a seed phrase to another wallet because the vulnerability operates at the address level.
• Affected users must submit claims directly to SecondFi rather than relying on a self-service workaround.

SecondFi confirms three separate attacks

Cardano wallet provider SecondFi has confirmed that three external attacks drained 16 million ADA from 374 wallets, translating to roughly $2.4 million at the time of the incident. The company said the breach was tied to a flaw in its proprietary wallet generation software, raising fresh concerns about how address creation and transaction signing can expose users when infrastructure is compromised.

The disclosure adds another security scare to the crypto sector, where wallet-level failures can be more damaging than broad market losses because they directly affect user custody. In this case, the attacks were not described as a protocol failure on the Cardano network itself, but rather as an exploit involving SecondFi’s own wallet generation process.

129 million ADA was moved before attackers arrived

SecondFi said its team was able to secure a further 129 million ADA before attackers could reach it by routing the assets to a third-party custodian. That preventive move may have materially reduced the scale of the incident, but it also underscores how quickly a software flaw can force emergency asset protection measures once a vulnerability is discovered.

According to blockchain security firm SlowMist, total losses could still exceed $20 million after the full scope of the breach is assessed. The final figure remains uncertain because an independent audit is still needed to determine which wallets were compromised, how the attacks unfolded, and whether additional exposure exists beyond the initial drain.

Why seed phrase changes will not help

One of the most important details for affected users is that moving a seed phrase into another wallet will not resolve the problem. SecondFi said the vulnerability activates at the address level when a transaction is signed, which means the issue is tied to how the wallet address was created or handled, not simply to the recovery phrase itself.

That distinction matters because many users assume changing wallets or regenerating access credentials is enough to neutralize a compromise. In this case, SecondFi’s guidance suggests the attack surface persists at the address layer, so users must follow the company’s claims process and await official remediation steps rather than attempting a manual workaround.

Patch deployed, but trust concerns remain

SecondFi said it has already deployed a patch for users who were not affected by the exploit. While that reduces the risk of further immediate compromise, the episode may still weigh on trust among Cardano users who rely on wallet providers to safeguard asset generation and transaction security.

Incidents like this often trigger a broader reassessment of operational controls, including code review, wallet generation design, custody practices, and real-time incident response. For users, the key takeaway is that even when blockchain infrastructure remains intact, the software layer surrounding wallet creation can become the weak point that attackers target.

What users should expect next

Affected users are being instructed to submit claims directly to SecondFi. Until the independent audit is completed, the company and outside security firms are likely to continue refining the total loss estimate and identifying whether any additional wallets were exposed beyond the 374 already confirmed.

For the Cardano ecosystem, the incident is a reminder that wallet security is a shared responsibility between users, wallet providers, and custodial partners. The size of the assets rescued before attackers could reach them suggests the issue was caught under pressure, but the event also shows how quickly a software flaw can escalate into a multimillion-dollar loss.

Frequently Asked Questions (FAQs)

What happened to SecondFi?

SecondFi said three external attacks exploited a flaw in its proprietary wallet generation software and drained 16 million ADA from 374 wallets.

How much money was lost?

The confirmed amount lost was about 16 million ADA, or roughly $2.4 million, though SlowMist says total losses could exceed $20 million.

Was the Cardano network itself hacked?

No. The issue appears tied to SecondFi’s wallet generation software rather than a failure of the Cardano blockchain protocol.

Can users protect themselves by moving to another wallet?

No. SecondFi said the vulnerability is triggered at the address level when a transaction is signed, so changing wallets alone will not remove the risk.

What should affected users do?

Affected users must submit claims directly to SecondFi and follow the company’s official remediation process.

How much ADA was saved before attackers reached it?

SecondFi said it moved 129 million ADA to a third-party custodian before attackers could access those funds.

Has SecondFi fixed the problem?

SecondFi says it has rolled out a patch for users who were not affected, but the full impact is still being reviewed through an independent audit.

Why is an audit important?

An independent audit will help determine the full scale of the breach, confirm which wallets were impacted, and verify whether any additional losses occurred.

What does this mean for Cardano users?

The incident highlights the importance of wallet security, especially where address generation and transaction signing can become targets for attackers.

Photo by Jonathan Borba on Pexels