NEW YORK – The attack arrived in silence. No phishing link, no malware prompt, no deceptive approval request. Three hundred and seventy-four Cardano wallet holders woke up between June 21 and 23 to find their funds gone, and the most unsettling part was not the amount stolen but the method: attackers had reconstructed their private keys from information that was already public.
SecondFi, the self-custody neofinance platform built by EMURGO, one of the three founding entities of the Cardano blockchain, confirmed this week that a flaw in its wallet generation software had exposed users to exactly that kind of attack. A deterministic nonce derivation error in the platform’s software signer meant that every transaction ever signed by an affected address broadcast enough mathematical information for an attacker to work backward and reconstruct the private key. The wallet did not need to be broken into. It only needed to have been used.
Sixteen million ADA, worth approximately $2.4 million at the time of the exploit, left 374 wallets in four separate draining events across 72 hours. EMURGO says its teams intervened to rescue a further 129 million ADA, roughly $19 million, by routing those funds to a third-party custodian before attackers could reach them. The company identified two attacker addresses and has committed to a two-week recovery timeline for affected users, with a final balance snapshot of all 374 compromised wallets completed as of this week.
Security research firm Tibane Labs traced the vulnerability to an unaudited third-party SDK that replaced EMURGO’s audited signing code on June 8 — thirteen days before the first wallet was drained. The substitution introduced the nonce flaw that made key reconstruction possible. EMURGO has not published a technical postmortem and has not publicly addressed Tibane’s attribution. The company said only that it has identified a recovery path and that engineering teams are working through multiple technical approaches in parallel.
The nature of the flaw creates a problem that outlasts the immediate theft. SecondFi has warned affected users not to import their seed phrases into a different Cardano wallet and continue using the same addresses. The vulnerability exists at the key level, not the application level. An address whose private key has been mathematically exposed remains exposed regardless of which software holds the seed phrase. Signing a new transaction from a compromised address could allow the same attackers, or anyone who has since acquired the reconstructed key, to drain whatever funds flow into it.
That instruction runs directly against the instinct of every user who has ever been told that self-custody means safety. The seed phrase is supposed to be the inviolable escape route: your keys, your coins, recoverable on any compatible wallet. SecondFi’s users followed that doctrine and now find themselves holding seed phrases that unlock accounts that are permanently compromised at the cryptographic level. The promise of self-custody did not fail. The software generating the keys did.
SecondFi was formerly known as Yoroi, one of the most widely used Cardano wallets since the blockchain’s early years. EMURGO relaunched it as a neofinance platform in 2026, integrating DeFi functionality with traditional finance rails including a Visa card partnership with Wirex. The relaunch positioned SecondFi as proof that Cardano’s infrastructure had matured enough to support serious financial products. The exploit, arriving weeks after launch, lands at the worst possible moment for that narrative.
The episode joins a sobering recent pattern in the broader crypto security landscape. Secret Network lost $4.67 million to an infinite-mint exploit in June after a bridge flaw went undetected for seven days. Ethereum’s largest sandwich bot lost $7.5 million to a counter-honeypot the same week. What distinguishes the SecondFi case is not the dollar figure but the mechanism: most crypto exploits target smart contract logic, bridge infrastructure, or user behavior. This one targeted the cryptographic primitive that the entire security model of self-custody depends on.
The question of how an unaudited SDK replaced audited signing code in production without triggering a review process is one that EMURGO has not yet answered publicly. Blockchain security firms and independent researchers have flagged this as the more consequential disclosure than the theft itself. A $2.4 million loss is recoverable, as EMURGO has pledged to do. A software development process that allows unaudited cryptographic code to reach production without detection is a systemic risk that a refund schedule does not address.
Independent audits of the affected codebase are ongoing, according to EMURGO, and the company says it will publish findings once the recovery process is complete. Whether the two-week refund timeline holds depends on which of the parallel technical approaches its engineering teams are pursuing proves viable first. SlowMist, the blockchain security firm, has separately estimated that total losses could exceed $20 million pending that independent audit, a figure higher than EMURGO’s own accounting of what was drained versus what was rescued.
For the 374 affected users, the immediate question is simpler and harder: they are waiting on refunds from a company whose software failed them, with no on-chain recourse and no regulatory backstop. The attacker addresses have been identified. The funds have not been recovered. What EMURGO can actually return, and from what source, is the detail the two-week clock is measuring.
