Skip to content
Est. MMXXVIVol. VI · № 299RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 299Private Key Compromise

SecondFi Wallet Key-Generation Exploit

A predictable-randomness flaw in SecondFi's Cardano wallet-generation software let attackers drain about $2.4M in ADA from 178 wallets, with up to $20M more potentially at risk.

Date
Victim
SecondFi (formerly Yoroi)
Chain(s)
Cardano
Status
Funds Stolen

On June 23, 2026, SecondFi — the Cardano self-custody wallet formerly known as Yoroi — disclosed that a flaw in its own wallet-generation software had let attackers drain roughly $2.4 million in ADA from 178 user wallets, with security firm SlowMist warning that as much as 129 million ADA (over $20 million) could ultimately be at risk. Cardano's base protocol was not compromised; the weakness lived entirely in SecondFi's client software.

What happened

The root cause was predictable randomness in the software that creates new wallets and their private keys. Because the key-generation routine did not draw from sufficient entropy, the resulting private keys were guessable — meaning every wallet produced by that iteration of the software is potentially compromised, including accounts that have not yet been drained. Attackers swept ADA, native tokens and NFTs from affected accounts; on-chain trackers identified about 178 drained wallets, with suspicious activity concentrated in the June 21–22 window before the public disclosure on June 23. The confirmed loss stands near $2.4 million, but SecondFi has cautioned that the official figure is a floor, not a ceiling, pending an independent review.

Aftermath

SecondFi immediately suspended services and entered maintenance mode, took a snapshot of user balances to freeze a record of holdings, and urged users to move funds out of any wallet generated by the affected software. The team said it is finalizing a technical review with a leading blockchain security firm and is coordinating with major Cardano stakeholders — Input Output Global (IOG), the Cardano Foundation, IntersectMBO and SundaeSwap — to manage the fallout. No reimbursement timeline has been announced, and no funds had been recovered at the time of disclosure.

Why it matters

Weak key generation is one of the most catastrophic failure modes in crypto because it breaks every wallet at once, not just one victim. The incident echoes the Wintermute Profanity exploit, where a predictable vanity-address generator let an attacker recompute a private key and steal $160M, and it lands the same month as the key-handling failure at Humanity Protocol. For a widely used consumer wallet, a single flawed entropy source converts the convenience of self-custody into a systemic liability — and underscores why deterministic, well-audited randomness is non-negotiable in any tool that mints private keys.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/business/2026/06/24/secondfi-loses-usd2-4-million-in-cardano-wallet-exploit-with-up-to-usd20-million-at-risk
  2. [02]cryptobriefing.comhttps://cryptobriefing.com/secondfi-exploit-drains-cardano-users/
  3. [03]cryptobriefing.comhttps://cryptobriefing.com/secondfi-wallet-vulnerability-cardano-drain/
  4. [04]en.cryptonomist.chhttps://en.cryptonomist.ch/2026/06/24/secondfi-cardano-exploit-losses/
  5. [05]cryptotimes.iohttps://www.cryptotimes.io/2026/06/24/cardano-project-secondfi-halts-services-as-hack-estimates-hit-20m/

Related filings