Cardano project SecondFi faces $20m loss warning after flaw

SecondFi, a Cardano ecosystem wallet project, said it has traced a recent security incident to its native Cardano web wallet generation software

Summary

• SecondFi traced the breach to its Cardano wallet generation software after pausing platform activity Tuesday.
• SlowMist founder Cos said suspected hacker wallets suggest potential losses could exceed $20 million overall.
• The incident adds pressure on Cardano as ADA trades near multi-year lows again this month.

The team said it had contained the issue and paused affected services while it reviewed the full scope.

“We have isolated the root cause of the recent security incident,” said SecondFi in a security update. “The issue was confined to our native Cardano web wallet generation software.”

🚨 SECURITY UPDATE: Root Cause & Blast Radius Confirmed

We have isolated the root cause of the recent security incident. The issue was confined to our native Cardano web wallet generation software.

Our team has completed an onchain analysis to determine the scope of impact, and…

— SecondFi (@secondfiapp) June 23, 2026

SecondFi said its on-chain review put the preliminary scale at around 16 million ADA. The team also said it was working with a blockchain security firm on an independent technical review.

SlowMist founder sees larger loss risk

SlowMist founder Cos, also known as Yu Xian, said the damage could be far larger than SecondFi’s early figure. He said the estimate depends on whether two Cardano addresses he tracked are confirmed as attacker wallets.

“The users of this wallet have likely lost over $20 million,” said SlowMist founder Cos in an X post. He said the possible loss may involve more than 129 million ADA and other tokens.

我对 Cardano 生态其实挺陌生的，昨晚围观了一晚，但如果以下都是黑客地址（从行为上应该是）：

addr1q8g8cgwqw98q2mrzrwgcy3wectdxwem8a8zp9r2mn6wjy7q4x7gcpv39wwurj7n72akw4kd0dgmv72gz4j92fvhn29ss7vuz99… https://t.co/gFxun3Wfdo

— Cos(余弦)😶‍🌫️ (@evilcos) June 24, 2026

Cos later said the transaction pattern suggested an attacker may have obtained a batch of mnemonic phrases or private keys before moving funds over many hours. He said the transfers appeared to move from larger amounts to smaller ones.

Users wait for final review

SecondFi has not yet released a final technical report or a detailed compensation plan. The project said it would continue to share updates as the independent review confirms the scope and cause.

The case has drawn attention because the issue involves wallet generation, not only a smart contract or front-end error. If key generation fails, wallets created through the affected software may face direct risk.

SecondFi is the successor to Yoroi and was launched by EMURGO as a self-custody neofinance app for spending, trading, earning and saving. Cardano’s official app catalog lists SecondFi as a self-custody platform built by EMURGO.

As previously reported by crypto.news, Cardano has already faced market and ecosystem pressure this month. ADA fell below $0.20 in June, while several Cardano projects and governance fights drew wider attention. At press time, ADA traded at around $0.15, down almost 3% in the past 24 hours.

Cardano (ADA) price chart, source: crypto.news## Security concerns spread beyond Cardano

The SecondFi case adds to a wider run of crypto wallet and platform security issues. In a recent update, crypto.news covered Trezor Safe 7 after Ledger Donjon found a chip flaw, though Trezor said user funds remained safe.

Previously, crypto.news explored Bo Shen’s reopened $42 million wallet hack case. SlowMist had linked that theft to a compromised mnemonic seed phrase, showing how seed phrase exposure can leave lasting recovery problems.

SecondFi users now need to follow only official project channels and avoid support scams. Breach events often trigger fake recovery accounts that ask for seed phrases, private keys or transfers.

The final loss figure remains unconfirmed. For now, SecondFi’s public estimate stands near 16 million ADA, while SlowMist’s Cos says suspected hacker activity could push possible user losses above $20 million.