What happened to SecondFi, formerly Yoroi?

On June 23, 2026, SecondFi, the Cardano self-custody platform that rebranded from the Yoroi wallet built by EMURGO, disclosed that a flaw in its wallet-generation software let attackers reach user private keys. It paused services, entered maintenance mode, and urged users to move funds. SecondFi confirmed about 16 million ADA, around 2.4 million dollars, drained from roughly 178 wallets, plus tokens and NFTs.

How much was stolen in the SecondFi exploit?

SecondFi confirmed about 16 million ADA, roughly 2.4 million dollars, drained from around 178 wallets, plus tokens and NFTs. Separately, security firm SlowMist estimated potential exposure could exceed 20 million dollars, up to about 129 million ADA, but that is an at-risk worst-case figure covering wallets not yet drained, not a confirmed loss, and SecondFi says the final number awaits an independent audit.

What caused the SecondFi hack?

According to SecondFi and SlowMist, and pending an independent audit, the cause was the platform's native Cardano web wallet-generation software producing private keys with predictable randomness, or weak entropy. That is a key-generation flaw rather than a smart contract bug, and it can expose every wallet created with the affected software at once.

What should I do if I used a SecondFi or Yoroi wallet?

Treat any wallet created through the affected software as potentially compromised. Generate a fresh wallet with trusted, audited software and move your funds, and do not reuse the old recovery phrase, since the weakness is in how it was generated. Follow SecondFi's official channels and ignore unsolicited recovery or refund offers.

SecondFi (Formerly Yoroi) Halts Services After a Cardano Wallet Flaw Drains Users: $2.4M Confirmed, Up to $20M at Risk

June 24, 2026 — By Tony Rabbit in News

SecondFi, the Cardano self-custody platform formerly known as Yoroi, has halted services after a flaw in its wallet-generation software let attackers reach user private keys. SecondFi confirmed about 16 million ADA (around 2.4 million dollars) drained from roughly 178 wallets, while security firm SlowMist warns total exposure could exceed 20 million dollars. Here is what happened and what affected users should do.

SecondFi, the Cardano self-custody platform that is the rebrand of the long-running Yoroi wallet built by EMURGO, has halted services after a security incident that drained user funds. According to the project's disclosure on June 23, 2026, and reporting from Crypto Briefing, Crypto Times, and crypto.news, the root of the problem was not a smart contract bug but something more fundamental: the software that generated wallets produced private keys with predictable randomness, which let attackers reach the keys of affected users.

SecondFi has paused affected functions, entered maintenance mode, taken a balance snapshot, and urged users to move their funds. The numbers attached to the incident vary widely depending on who is counting, and that gap is the most important thing to understand.

Confirmed losses versus the worst-case warning

SecondFi's own preliminary assessment is the conservative figure: roughly 178 wallets compromised and about 16 million ADA, worth around 2.4 million dollars at the time, drained, along with an unspecified amount of tokens and NFTs. The suspicious activity clustered into roughly 200 transactions around June 21 and 22, 2026.

Blockchain security firm SlowMist, whose founder goes by Cos, put out a much larger number. Tracking the attacker's movements overnight, SlowMist estimated that total potential losses could exceed 20 million dollars, possibly as much as 129 million ADA. The key word is potential. That figure is an at-risk estimate that covers wallets created with the flawed software that have not yet been drained, not confirmed stolen funds, and it has not been endorsed by SecondFi, which says the exact loss will be disclosed after an independent technical audit. The honest framing is a confirmed drainage of about 2.4 million dollars and a worst-case exposure, per SlowMist, north of 20 million.

Why a key-generation flaw is so dangerous

Most DeFi exploits attack a smart contract. This one attacked something underneath it. A crypto wallet's entire security rests on the private key being generated from genuinely unpredictable randomness, so that no one can guess or reproduce it. According to SecondFi and SlowMist, the platform's native Cardano web wallet-generation software used randomness that was predictable, which means the keys it produced were too. If an attacker can model how keys were generated, every wallet made with that software is exposed at once, with no phishing or contract trick required. SecondFi said the issue was confined to its native Cardano web wallet generation. This explanation is the cause stated by the project and SlowMist and is still pending an independent audit.

This is the defining DeFi attack pattern of 2026

The SecondFi incident is a textbook example of where DeFi losses are actually coming from this year. Across 2026, stolen keys, credential theft, and access compromise have overtaken smart contract bugs as the dominant cause of DeFi losses, with several trackers attributing a large majority of stolen value to that category rather than to flawed code. We have covered the scale of this in our roundup of 2026's largest DeFi hacks, where the biggest incidents came from compromised infrastructure rather than buggy contracts. A weak random number generator sitting under a wallet is the same lesson in a different place: the code that holds your keys matters as much as the contracts you interact with.

It also lands on a small stage. Cardano's DeFi sector is modest, with total value locked in the rough range of 130 to 142 million dollars in 2026 by DeFiLlama-derived data, which places it well outside the top 20 chains. By our own back-of-envelope math against that range, even the confirmed 2.4 million dollar loss is a meaningful slice of Cardano DeFi, and a 20 million dollar worst case would be a large share of it, while the same amount would barely register against Ethereum's tens of billions.

What affected users should do

If you created a Cardano wallet through SecondFi or the older Yoroi web flow, the safe assumption is that the wallet may be compromised, regardless of whether it has been touched yet. Follow SecondFi's official guidance, generate a brand new wallet using trusted, well-audited software, and move any remaining funds to it as soon as possible. Do not import the old recovery phrase into the new wallet, since the weakness is in how that phrase was created. Be wary of anyone offering a recovery or refund tool, because fake helpers routinely follow incidents like this. Our guide on the immediate steps to take when a wallet is compromised walks through the process, and before moving into any new token you can sanity check its contract with the DEXTools Token Safety Checker. This article is information only and is not financial advice.