SecondFi loses $2.4 million in Cardano wallet exploit

SecondFi, the Cardano wallet formerly known as Yoroi, said it suffered three separate external attacks that drained roughly 16 million ADA, worth about $2.4 million, from 374 user wallets. The company said the exploit came from a flaw in its proprietary wallet generation software and that a patch has been rolled out for unaffected users.

The incident matters because it points to a wallet-level security failure affecting user access and custody, not a broad market move. According to SecondFi, simply moving a seed phrase to another wallet does not protect affected users because the vulnerability sits at the address level and can be triggered when a transaction is signed.

SecondFi said it took emergency measures before attackers could reach an additional 129 million ADA, sending those funds to an independent third-party custodian. The company has also engaged an external accounting firm to verify the holdings and said affected users can submit claims directly to SecondFi.

Blockchain security firm SlowMist estimated that total losses could exceed $20 million once the full range of compromised wallets and tokens is counted. CoinDesk noted that figure remains unconfirmed pending an independent audit.

Cardano founder Charles Hoskinson acknowledged the incident, saying the dollar amount was modest compared with some other crypto hacks while also stressing that losses still matter to affected users. ADA was trading around $0.15, its lowest level since 2020, according to the source report.