SecondFi Hack Puts Cardano Users at Risk After Predictable Private Key Flaw

1h ago•

bullish:

bearish:

This article was first published on The Bit Journal.

A recent SecondFi hack has stirred fear through the Cardano community after a vulnerability in SecondFi’s wallet-generation software was discovered. This exposed users to one of the most dangerous forms of crypto compromise due to predictable private keys.

On June 23, Second Fi, the self-custody platform that was formerly known as Yoroi, revealed that attackers had taken advantage of a weakness in its proprietary Cardano wallet-generation system. In response to the breach, the company shut down services, disabled frontend interactions and went into maintenance mode as it worked to figure out what had happened.

The initial estimates of losses put the figure at roughly 16 million ADA, which is roughly equivalent to $2.4 million, but experts now think the total amount lost could be higher, in excess of $20 million.

The hack has left Cardano users with a lot to think about because the flaw didn’t target a smart contract or an exchange. Instead, it affected the software responsible for generating the private keys that keep wallets secure.

Wallet Generation Flaw Exposed Hundreds of Users

According to SecondFi, the breach was found to have originated in its native Cardano web wallet-generation software. This component creates wallets and generates the private keys used to access crypto assets.

The company said that only a limited number of wallets were affected but community researchers and on-chain analysis suggest that nearly 178 wallets had their private keys compromised and a total of nearly 200 suspicious transactions were detected between June 21 and June 22. As a precaution, SecondFi captured user balances to keep a record of what happened for any future recovery efforts.

Unlike any typical phishing attack, this SecondFi hack did not follow the usual pattern of a phishing attack or a smart contract exploit. This flaw was able to produce private keys with predictable randomness.

Security researchers are warning that any wallet that was generated using the affected version of the software could still be at risk even if the user hasn’t lost any money yet.

This is a big problem because it means that even if users had followed the usual rules of self-custody, they could still have been left exposed.

SecondFi Hack Sparks Panic as Predictable Wallet Keys Put Millions in ADA at Risk — *SecondFi Hack Sparks Panic*

Why Do The Loss Estimates Keep Changing?

Another issue that is still up in the air is the size of the losses.

SecondFi initially put the total amount stolen at approximately 16 million ADA which was roughly equivalent to $2.4 million at the time of the incident. However, blockchain security researcher Cos who is also the founder of SlowMist and is also known as Yu Xian, published a separate analysis after tracing suspected attacker wallets.

Based on what he found, he thinks the losses could be more like 129 million ADA plus even more tokens, putting the total damage at over $20 million.

The reason for the difference between the two figures is still unclear.

SecondFi are saying they are doing an independent technical review with an external blockchain security firm and will release a final damage assessment once the review is complete. Until then, most analysts are treating the official estimate as a minimum not the final total.

The Reputational Costs Are Going to be High

The reputational fallout from the hack extends far beyond the actual financial losses.

SecondFi has its roots in Yoroi, one of Cardano’s earliest and most widely used light wallets. Developed by EMURGO, one of Cardano’s three founding organizations, Yoroi became a go-to entry point for ADA holders over several years.

Earlier this month, EMURGO wrapped up the transition from Yoroi to SecondFi, finally rolling out version 10.0.3 on June 7 also making the move to expand the platform into a more all-encompassing financial platform that allows users to indulge in spending, trading, earning and saving alongside getting integrated with Visa.

The sequence of events would explain why the SecondFi hack has stirred up so much attention.

Ordinarily, a security breach at some small startup would raise a few eyebrows. But when it’s an entity directly tied to one of Cardano’s core founders, it raises trust concerns right across the Cardano ecosystem.

SecondFi has said they are working closely with EMURGO, the Cardano Foundation, Input Output, Intersect and SundaeSwap to get on top of the situation.

What ADA Holders Should Do Next

Security experts have issued unusually direct guidance. Cardano firm Blink Labs has warned that wallets created through the affected software should probably be considered unsafe. Users are being urged to move their funds over to wallets generated by some other provider right away and then generate completely new seed phrases.

Also, scammers have begun exploiting the situation. SecondFi has put out a warning about fake support accounts popping up on X and Telegram telling people to be very careful and only verify communication from official channels.

While SecondFi now has a record of affected holdings, they haven’t said anything yet about a reimbursement plan or timeline.

Conclusion

The SecondFi hack stands out because it targeted the very core of self-custody which is the generation of a user’s private key.

With an estimated 178 wallets having been compromised, losses said to be between $2.4 million and more than $20 million and there are fears that there may be more wallets out there still vulnerable. The incident has turned into one of the biggest security events to hit the Cardano ecosystem in 2026.

Users are still waiting to see if recovery efforts and any potential compensation would be set up to keep things under control.