Cardano wallet provider SecondFi lost approximately 16 million ADA, worth around $2.4 million at the time, after attackers exploited a flaw in the company’s wallet generation software, compromising 374 addresses across three separate incidents and triggering a reimbursement process for affected users.
SecondFi disclosed this week that approximately 16 million ADA, valued at about $2.4 million at the time of the attack, was siphoned from 374 compromised addresses in three separate attacks.
The company said it has completed a final snapshot of impacted assets and expects to begin returning eligible user funds within approximately two weeks while engineers finalize recovery procedures and security reviews.
The exploit, disclosed in late June, affected wallets created using SecondFi’s proprietary infrastructure rather than the Cardano blockchain itself, according to company statements and independent security assessments.
Recovery efforts intensify as users await reimbursement
SecondFi said emergency measures allowed it to secure approximately 129 million ADA before attackers gained access to additional accounts.
Those assets have reportedly been transferred to an independent third-party custodian pending verification and distribution to affected users.
“To provide more clarity, we have identified the nature of the incident, it is at the address level. The security risk affects users wallets when a transaction is signed.” SecondFi, in a statement posted on X.
The company has urged users not to import their existing recovery phrases into another Cardano wallet, warning that the vulnerability cannot be mitigated simply by migrating to a different wallet interface.
SecondFi indicated that engineering and security teams have already completed a balance snapshot for damaged accounts and are advancing plans to restore assets.
Operations are expected to resume only after an additional security review is completed.
For affected users, the waiting period has added uncertainty to an already difficult episode.
Several community members reported losses ranging from hundreds to thousands of dollars, while others indicated that their assets had been swept into designated recovery wallets controlled by the company.
Security experts say wallet software remains an overlooked risk
The incident has drawn attention to a frequently overlooked attack surface within decentralized finance: wallet generation software.
Mitchell Amador, Chief Executive Officer, Immunefi, says SecondFi’s wallet software exposed the private keys it generated.
Amador added that the underlying blockchain was not compromised, emphasizing that wallet creation mechanisms often receive less scrutiny than smart contracts despite holding equivalent security importance.
Blockchain security firm SlowMist estimates that total damages linked to compromised wallets and associated assets could ultimately exceed $20 million.
The exploit also prompted comments from Cardano founder Charles Hoskinson, who sought to distinguish the incident from issues affecting the Cardano network itself.
Hoskinson stressed that there is no ownership, control, or business relationship between Input Output Global and SecondFi, showing that the exploit originated from third-party wallet software rather than the Cardano protocol.
The exploit revives debate over self-custody practices
The breach arrives at a sensitive moment for the cryptocurrency industry, where self-custody solutions have increasingly been promoted following the collapse of several centralized exchanges over the past three years.
While the principle of “not your keys, not your coins” remains widely supported among cryptocurrency advocates, the SecondFi incident demonstrates that self-custody is not immune from implementation risks.
Security specialists have long advised users to separate large holdings into hardware wallets, maintain offline backups of seed phrases, and carefully verify the security track record of wallet providers before generating addresses.
The event may also encourage broader discussions around wallet audits and standardized security certifications, areas that remain less mature than smart contract auditing practices despite billions of dollars being held in self-custody applications.
As SecondFi prepares its reimbursement process, investors and developers across the Cardano ecosystem will be closely watching whether the company can successfully return assets and restore confidence among users who entrusted the platform with safeguarding their digital wealth.