SecondFi, the Cardano wallet formerly known as Yoroi, says it has patched a major exploit that drained approximately 16 million ADA, worth approximately $2.4 million, from 374 user wallets in three separate attacks.
The root cause was a flaw in SecondFi’s proprietary wallet generation software. The vulnerability is at the address level, meaning that simply moving a seed phrase to another wallet offers no protection. “The security risk occurs when an affected user signs a transaction,” the team at X said.
Before the attackers could reach another 129 million ADA, SecondFi said it activated emergency ransom measures and sent the funds to an independent third-party custodian. A third-party accounting firm has been hired to verify those holdings, and affected users can file complaints with SecondFi.
Blockchain security firm SlowMist estimates that total losses could exceed $20 million when taking into account the full range of compromised wallets and tokens, a figure that remains unconfirmed pending an independent audit.
Cardano founder Charles Hoskinson acknowledged the incident but noted that the dollar amount was modest compared to other cryptocurrency hacks, although he emphasized that it offered little comfort to those affected. “It hurts them every time they lose something,” he said. “This is the unfortunate reality of cryptocurrencies.”
ADA is currently trading around $0.15, its lowest level since 2020.
