Skip to main content
Sign in
SecondFi (Cardano Wallet)1 decision on this page

Audit log

Every state-changing event for SecondFi (Cardano Wallet): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-06-26 12:04:07Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 429,017,688
    sig
    45awDpJuRFQk…g8ZMFGQ8explorer ↗
    hash
    GFUX44XrG94P…pQMexyP1sha256 → base58
    verifying row…full verify ↗
    canonical bytes (20673 B) ▸
    {"actor":"system:backfill","investigation_id":"fdd3c427-bdd2-4ada-af57-b950be89225b","kind":"publish","page_slug":"secondfi-cardano-wallet","published_at":"2026-06-26T12:04:07.773Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"SecondFi (Cardano Wallet)","sections":[{"content":"SecondFi is a self-custody cryptocurrency wallet and financial platform developed by EMURGO, one of the three founding entities of the Cardano blockchain ecosystem alongside IOHK and the Cardano Foundation. The platform was formerly known as Yoroi Wallet, which served over one million users and was one of the earliest and most widely adopted light wallets for Cardano. On April 22, 2026, at Money20/20 Bangkok, EMURGO formally introduced SecondFi as the successor product, describing it as a 'self-custody neofinance platform built for spending, trading, earning, and saving.' The transition was handled automatically via app updates requiring no user action, and existing Yoroi wallet data, assets, staking positions, and governance delegations were preserved.","heading":"Background and Ownership","severity":"low","sources":[{"credibility":1,"name":"Yoroi Wallet Is Evolving Into SecondFi: What You Need to Know — EMURGO","type":"official","url":"https://www.emurgo.io/press-news/yoroi-wallet-is-evolving-into-secondfi-what-you-need-to-know/"},{"credibility":1,"name":"Yoroi Wallet Is Evolving Into SecondFi — Cardano.org","type":"official","url":"https://cardano.org/news/2026-04-22-yoroi-wallet-is-evolving-into-secondfi/"}]},{"content":"Between June 21 and June 23, 2026, SecondFi's native Cardano web wallet generation software was exploited through a deterministic nonce-derivation flaw in its software signer. The vulnerability operated at the address level: each transaction signed by an affected address leaked sufficient on-chain information for an attacker to mathematically reconstruct the corresponding private key from publicly available blockchain data. Because the flaw was embedded in the key generation process itself rather than the application interface, standard seed phrase recovery provided no protection — compromised private keys remained exposed even if a user imported the same recovery phrase into an entirely separate Cardano wallet. SecondFi explicitly warned users not to attempt self-rescue via seed phrase migration. The Bitquery on-chain forensic report confirmed the weakness traced to 'weak randomness in SecondFi's key-generation code — not a flaw in Cardano itself.'","heading":"Exploit: Cryptographic Nonce-Derivation Flaw","severity":"critical","sources":[{"credibility":1,"name":"SecondFi Loses $2.4 Million in Cardano Wallet Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/06/24/secondfi-loses-usd2-4-million-in-cardano-wallet-exploit-with-up-to-usd20-million-at-risk"},{"credibility":2,"name":"How an Attacker Drained a Cardano Wallet's Users of More Than 129 Million ADA — Bitquery","type":"research","url":"https://bitquery.io/investigations/cardano-secondfi-129m-drain"},{"credibility":2,"name":"SecondFi Reveals Private Key Flaw Behind Cardano Wallet Exploit — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/secondfi-reveals-private-key-flaw-behind-cardano-wallet-exploit-issues-urgent-warning/"},{"credibility":2,"name":"Cardano Wallet Exploit: SecondFi Traces Attack to Private Key Flaw — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/cardano-wallet-exploit-secondfi-traces-attack-to-private-key-flaw-warns-users-not-to-restore-seed-phrases/"}]},{"content":"SecondFi's internal investigation identified two distinct threat actor groups that executed four separate automated wallet-draining campaigns. Attacker A operated two waves: Wave 1 began June 21 at approximately 8:29 PM UTC, in which three collector wallets activated simultaneously and drained approximately 12 million ADA from 198 wallets, liquidating stolen tokens through the Minswap decentralized exchange. Attacker A's second wave targeted an additional set of wallets. Attacker B independently conducted a third wave, compromising 203 additional wallets, with over 4 million ADA later identified sitting in a monitored collection address. Bitquery's forensic reconstruction documented 3,072 victim wallets drained across both attacker campaigns, with 129.4 million ADA and 3,838 distinct token types moved in total. A single shared fee-funder address supplied approximately 7 ADA across 406 transactions during both waves, providing on-chain evidence that both attack groups shared common operator infrastructure. Attacker infrastructure included a central hub wallet, a dormant ADA vault, and three collector stake addresses. SecondFi's own public disclosures cited the lower figure of 374 wallets and 16 million ADA (~$2.4 million) as confirmed losses, while blockchain security firm SlowMist estimated potential total exposure at over $20 million pending independent audit.","heading":"Attack Scope and On-Chain Forensics","severity":"critical","sources":[{"credibility":2,"name":"How an Attacker Drained a Cardano Wallet's Users of More Than 129 Million ADA — Bitquery","type":"on_chain","url":"https://bitquery.io/investigations/cardano-secondfi-129m-drain"},{"credibility":2,"name":"SecondFi Exploit Drains 374 Cardano Wallets, Over 16 Million ADA Stolen — Blockonomi","type":"news_article","url":"https://blockonomi.com/secondfi-exploit-drains-374-cardano-wallets-over-16-million-ada-stolen-in-coordinated-attack/"},{"credibility":2,"name":"SecondFi Wallet Exploit Losses Could Top $20 Million, Security Firm SlowMist Warns — MEXC News","type":"news_article","url":"https://www.mexc.com/news/1168860"},{"credibility":2,"name":"Cardano Project SecondFi Hit by Major Exploit, Losses Could Top $20 Million — BeInCrypto","type":"news_article","url":"https://beincrypto.com/secondfi-exploit-cardano-losses-20-million/"}]},{"content":"SecondFi disclosed the vulnerability on June 23, 2026, placing the platform in maintenance mode and suspending all front-end activity. The company stated it isolated the root cause, patched all unaffected wallets, and triggered emergency containment measures prior to attackers reaching a further tranche of user funds. SecondFi reported routing approximately 129 million ADA to an independent third-party custodian as a pre-emptive rescue measure, pending verification and return to affected users. An external accounting firm was engaged to verify custodied holdings. SecondFi also commissioned an independent code-level security audit from external blockchain security firms and notified relevant law enforcement authorities. The platform stated it is 'pursuing every legal option available to recover stolen funds and hold the responsible parties accountable.' EMURGO subsequently published a formal incident update confirming that wallet address mapping of all 374 affected addresses had been completed, and committed to full reimbursement through a dedicated independently secured restoration fund. As of the date of reporting, no specific compensation timeline, final audit results, or details of the restoration fund structure had been published.","heading":"Company Response and Emergency Containment","severity":"high","sources":[{"credibility":2,"name":"SecondFi Cardano Wallet Hack Update: EMURGO Pays Back — CoinGabbar","type":"news_article","url":"https://www.coingabbar.com/en/crypto-currency-news/secondfi-cardano-wallet-hack-update-recovery-and-investigation"},{"credibility":1,"name":"SecondFi Loses $2.4 Million in Cardano Wallet Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/06/24/secondfi-loses-usd2-4-million-in-cardano-wallet-exploit-with-up-to-usd20-million-at-risk"},{"credibility":2,"name":"Cardano Wallet Exploit: SecondFi Traces Attack to Private Key Flaw — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/cardano-wallet-exploit-secondfi-traces-attack-to-private-key-flaw-warns-users-not-to-restore-seed-phrases/"},{"credibility":2,"name":"EMURGO's Wallet Legacy Under Fire After SecondFi Drains 178 Accounts: Cardano in Crisis? — MEXC News","type":"news_article","url":"https://www.mexc.com/news/1170094"}]},{"content":"A critical and unusual aspect of the SecondFi exploit is that affected users cannot self-rescue by importing their seed phrase into another wallet. Because the vulnerability existed at the private key derivation level — not the seed phrase level — the compromised private keys associated with affected addresses remain permanently exposed regardless of which application a user employs to access the same seed. SecondFi explicitly warned that 'compromised keys remain exposed even if users import the same recovery phrase into another Cardano wallet,' and advised users to avoid independently transferring funds, withdrawing staking rewards, or attempting seed phrase migrations until official recovery instructions were issued, as such actions could trigger additional automated attacker responses via mempool monitoring. Affected users were directed to submit claims through SecondFi's official support channel. Secondary threats including scammers impersonating SecondFi support staff and distributing fake recovery tools were also documented by security researchers during the incident period.","heading":"User Risk: Seed Phrase Migration Warning","severity":"critical","sources":[{"credibility":2,"name":"SecondFi Exploit Drains Over $20M From Cardano Users — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/secondfi-exploit-drains-cardano-users/"},{"credibility":2,"name":"Cardano Wallet Exploit: SecondFi Traces Attack to Private Key Flaw — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/cardano-wallet-exploit-secondfi-traces-attack-to-private-key-flaw-warns-users-not-to-restore-seed-phrases/"},{"credibility":2,"name":"SecondFi Security Breach Triggers Urgent Asset Migration — Castle Crypto","type":"news_article","url":"https://castlecrypto.gg/news/secondfi-security-breach-triggers-urgent-asset-migration-for-cardano-users/"}]},{"content":"SecondFi, as the successor to Yoroi Wallet, was Cardano's largest wallet provider by user count at the time of the exploit, with a stated user base exceeding one million. The incident raised broader questions about the security of application-layer key generation within the Cardano ecosystem and EMURGO's responsibility as a founding entity. At the time of the incident, ADA was trading at approximately $0.15, near its lowest level since 2020, which reduced the USD value of stolen funds relative to the ADA quantity involved. The Bitquery forensic report explicitly noted that the flaw was confined to SecondFi's software and 'not a flaw in Cardano itself,' a distinction repeated by multiple outlets. The incident nonetheless generated significant negative attention for Cardano's ecosystem reputation. Reports noted that the full scope of the compromise — whether using SecondFi's internal figure of 374 wallets or Bitquery's forensic count of 3,072 — remained unreconciled in public disclosures as of late June 2026.","heading":"Cardano Ecosystem Impact","severity":"high","sources":[{"credibility":2,"name":"SecondFi Hack Puts Up to 129M ADA at Risk: What It Means for Cardano — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/secondfi-hack-puts-129m-ada-103630024.html"},{"credibility":2,"name":"How an Attacker Drained a Cardano Wallet's Users of More Than 129 Million ADA — Bitquery","type":"on_chain","url":"https://bitquery.io/investigations/cardano-secondfi-129m-drain"},{"credibility":2,"name":"SecondFi Cardano Breach Exposes Major Wallet Vulnerability — Cryptonomist","type":"news_article","url":"https://en.cryptonomist.ch/2026/06/24/secondfi-cardano-breach/"}]},{"content":"As of late June 2026, several material questions remained unresolved. First, the discrepancy between SecondFi's official figure of 374 affected wallets and Bitquery's forensic count of 3,072 affected wallets had not been reconciled in any public statement. Second, no formal security audit with technical findings had been published. Third, while EMURGO committed to full reimbursement through a restoration fund, no timeline, fund size, or disbursement structure was disclosed. Fourth, the 4.02 million ADA identified in an attacker collection address remained unrecovered. Fifth, the full set of wallets that carried the nonce-derivation flaw — and may remain permanently vulnerable to future exploitation if they sign any transaction — had not been comprehensively enumerated in public disclosures. Users who interacted with SecondFi's native Cardano web wallet generation tool during the period the flawed code was active should be considered potentially at risk regardless of whether their funds were drained during the June 21-23 windows.","heading":"Unresolved Questions and Open Risk","severity":"high","sources":[{"credibility":1,"name":"SecondFi Loses $2.4 Million in Cardano Wallet Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/06/24/secondfi-loses-usd2-4-million-in-cardano-wallet-exploit-with-up-to-usd20-million-at-risk"},{"credibility":2,"name":"How an Attacker Drained a Cardano Wallet's Users of More Than 129 Million ADA — Bitquery","type":"on_chain","url":"https://bitquery.io/investigations/cardano-secondfi-129m-drain"},{"credibility":2,"name":"SecondFi Hack Puts Up to 129M ADA at Risk: What It Means for Cardano — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/secondfi-hack-puts-129m-ada-103630024.html"}]}],"sources_used":[{"credibility":1,"name":"SecondFi Loses $2.4 Million in Cardano Wallet Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/06/24/secondfi-loses-usd2-4-million-in-cardano-wallet-exploit-with-up-to-usd20-million-at-risk"},{"credibility":2,"name":"How an Attacker Drained a Cardano Wallet's Users of More Than 129 Million ADA — Bitquery","type":"on_chain","url":"https://bitquery.io/investigations/cardano-secondfi-129m-drain"},{"credibility":1,"name":"Yoroi Wallet Is Evolving Into SecondFi: What You Need to Know — EMURGO","type":"official","url":"https://www.emurgo.io/press-news/yoroi-wallet-is-evolving-into-secondfi-what-you-need-to-know/"},{"credibility":1,"name":"Yoroi Wallet Is Evolving Into SecondFi — Cardano.org","type":"official","url":"https://cardano.org/news/2026-04-22-yoroi-wallet-is-evolving-into-secondfi/"},{"credibility":2,"name":"SecondFi Exploit Drains Over $20M From Cardano Users — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/secondfi-exploit-drains-cardano-users/"},{"credibility":2,"name":"SecondFi Wallet Vulnerability Drains $2.4M in Cardano Assets From 178 Users — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/secondfi-wallet-vulnerability-cardano-drain/"},{"credibility":2,"name":"Cardano Wallet Exploit: SecondFi Traces Attack to Private Key Flaw — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/cardano-wallet-exploit-secondfi-traces-attack-to-private-key-flaw-warns-users-not-to-restore-seed-phrases/"},{"credibility":2,"name":"SecondFi Reveals Private Key Flaw Behind Cardano Wallet Exploit — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/secondfi-reveals-private-key-flaw-behind-cardano-wallet-exploit-issues-urgent-warning/"},{"credibility":2,"name":"Cardano Project SecondFi Hit by Major Exploit, Losses Could Top $20 Million — BeInCrypto","type":"news_article","url":"https://beincrypto.com/secondfi-exploit-cardano-losses-20-million/"},{"credibility":2,"name":"SecondFi Exploit Drains 374 Cardano Wallets — Blockonomi","type":"news_article","url":"https://blockonomi.com/secondfi-exploit-drains-374-cardano-wallets-over-16-million-ada-stolen-in-coordinated-attack/"},{"credibility":2,"name":"SecondFi Hack Puts Up to 129M ADA at Risk — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/secondfi-hack-puts-129m-ada-103630024.html"},{"credibility":2,"name":"SecondFi Cardano Wallet Hack Update: EMURGO Pays Back — CoinGabbar","type":"news_article","url":"https://www.coingabbar.com/en/crypto-currency-news/secondfi-cardano-wallet-hack-update-recovery-and-investigation"},{"credibility":2,"name":"EMURGO's Wallet Legacy Under Fire After SecondFi Drains 178 Accounts — MEXC News","type":"news_article","url":"https://www.mexc.com/news/1170094"},{"credibility":2,"name":"SecondFi Wallet Exploit Losses Could Top $20 Million, SlowMist Warns — MEXC News","type":"news_article","url":"https://www.mexc.com/news/1168860"},{"credibility":2,"name":"SecondFi Cardano Breach Exposes Major Wallet Vulnerability — Cryptonomist","type":"news_article","url":"https://en.cryptonomist.ch/2026/06/24/secondfi-cardano-breach/"},{"credibility":2,"name":"SecondFi Security Breach Triggers Urgent Asset Migration — Castle Crypto","type":"news_article","url":"https://castlecrypto.gg/news/secondfi-security-breach-triggers-urgent-asset-migration-for-cardano-users/"}],"summary":"SecondFi is a Cardano self-custody wallet and neofinance platform operated by EMURGO, rebranded from Yoroi Wallet in April 2026. Between June 21 and 23, 2026, attackers exploited a deterministic nonce-derivation flaw in the platform's wallet generation software, draining approximately 16 million ADA (~$2.4 million) from 374 user wallets. Up to 129 million ADA across 3,072 wallets was placed at risk, with blockchain security firm SlowMist estimating total exposure could exceed $20 million; EMURGO has committed to full user reimbursement through an independently secured restoration fund, though no timeline or audit has been published.","timeline":[{"date":"2026-04-22","event":"EMURGO announces Yoroi Wallet is rebranding to SecondFi at Money20/20 Bangkok, expanding into a self-custody neofinance platform with multichain support and global card payments.","source":"EMURGO official press release","source_url":"https://www.emurgo.io/press-news/yoroi-wallet-is-evolving-into-secondfi-what-you-need-to-know/"},{"date":"2026-06-21","event":"First wave of automated wallet-draining begins at approximately 8:29 PM UTC. Three collector wallets activate simultaneously, draining approximately 12 million ADA from 198 wallets. Stolen tokens are liquidated through Minswap DEX.","source":"Bitquery on-chain forensic investigation","source_url":"https://bitquery.io/investigations/cardano-secondfi-129m-drain"},{"date":"2026-06-22","event":"Attacker A conducts a second wave targeting additional SecondFi wallets. Suspicious transaction activity concentrated on June 21-22 per user reports.","source":"Yahoo Finance / 99Bitcoins","source_url":"https://finance.yahoo.com/markets/crypto/articles/secondfi-hack-puts-129m-ada-103630024.html"},{"date":"2026-06-23","event":"Attacker B independently executes a third campaign compromising 203 additional wallets. SecondFi discloses the vulnerability, suspends all platform services, and enters maintenance mode. A second attacker's hub wallet sweeps approximately 135 million ADA from 2,874 wallets, transferring 129,430,001 ADA to a dormant vault in seven transactions. SecondFi triggers emergency containment, routing approximately 129 million ADA to an independent third-party custodian before further exploitation.","source":"Bitquery on-chain forensic investigation; Crypto Briefing","source_url":"https://bitquery.io/investigations/cardano-secondfi-129m-drain"},{"date":"2026-06-24","event":"SecondFi and EMURGO publish public disclosures. CoinDesk, BeInCrypto, and multiple crypto news outlets report confirmed losses of approximately 16 million ADA (~$2.4 million) from 374 wallets. SlowMist founder Yu Xian states total exposure including rescued funds may exceed $20 million. SecondFi warns users not to attempt seed phrase migration.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/06/24/secondfi-loses-usd2-4-million-in-cardano-wallet-exploit-with-up-to-usd20-million-at-risk"},{"date":"2026-06-25","event":"SecondFi publishes an investigation update. EMURGO commits to full reimbursement for all affected users through a dedicated independently secured restoration fund. Wallet address mapping of 374 affected addresses is stated as complete. Authorities notified; legal action against responsible parties announced.","source":"AMBCrypto; CoinGabbar","source_url":"https://ambcrypto.com/cardano-wallet-exploit-secondfi-traces-attack-to-private-key-flaw-warns-users-not-to-restore-seed-phrases/"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision cc1adc28-8dfe-4e63-9aa2-3878929f8f2f
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.