SecondFi, the Cardano-based self-custody wallet platform formerly known as Yoroi and developed by Emurgo, has detailed a structured path to restore funds to users impacted by a security incident that occurred in late June 2026. The company confirmed it will work toward returning affected assets within roughly two weeks while prioritizing safety and thorough verification.
The breach stemmed from a vulnerability in SecondFi’s proprietary wallet generation software.
Specifically, a flaw in deterministic nonce derivation allowed external threat actors to reconstruct private keys using publicly available on-chain data.
This enabled unauthorized access when affected users signed transactions. The issue was isolated to the address level rather than a broader protocol weakness in Cardano itself.
According to official updates, four draining events took place.
Three were carried out by external attackers, resulting in the loss of approximately 16 million ADA—valued at around $2.4 million at the time—from 374 wallet addresses.
— EMURGO (@emurgo_io) June 27, 2026
In response, SecondFi immediately placed the platform into maintenance mode, paused front-end interactions, and triggered emergency rescue measures.
These actions successfully secured an additional 129 million ADA by routing the funds to an independent third-party custodian before further losses could occur.
An external accounting firm was engaged to audit and verify the protected holdings.
Blockchain security firm SlowMist has suggested the overall impact could be significantly larger—potentially exceeding $20 million when accounting for other tokens, NFTs, and additional affected holdings beyond the confirmed ADA drain.
SecondFi has since deployed a patch for unaffected wallets and completed forensic investigations, balance snapshots, and security reviews.
In its latest update shared on June 27, 2026, Emurgo CEO Phillip Pon confirmed that teams had identified a clear recovery solution tailored to existing wallet states.
The timeline calls for one week dedicated to building the technical recovery mechanism, followed by another week of testing and security validation before assets begin returning to users.
A final balance snapshot was captured on June 26 to support accurate restitution.SecondFi and Emurgo have strongly advised affected users against independently restoring their recovery phrases into other Cardano wallets or moving funds on their own.
Such actions could disrupt the coordinated recovery process or introduce additional risks, as the vulnerability activates upon transaction signing.
The only recommended step at this stage is to submit a support ticket through official channels at support.secondfi.io.
No user participation in asset transfers or key sharing is required yet, and the companies have reiterated that they will never request private keys, seed phrases, or direct wallet access.
The teams emphasized that malicious actors are actively impersonating SecondFi with fraudulent messages and fake support accounts.
Users are urged to ignore any unsolicited communications and rely solely on verified official sources.
Operations remain paused until full security reviews are complete and confidence in the platform is restored.
This incident underscores the persistent security challenges facing cryptocurrency wallets, even those backed by established ecosystem players like Emurgo.
While the direct losses represent a notable setback for affected crypto users, the rapid containment efforts, external auditing, and commitment to restitution within a defined two-week window reflect a focus on minimizing long-term harm.
SecondFi has expressed appreciation for community patience and support throughout the response. The company plans to provide further proactive updates as the recovery process advances.