A critical security flaw in SecondFi, the Cardano wallet formerly known as Yoroi, has led to the theft of millions in crypto assets. The platform disclosed the exploit on June 23, immediately suspending all services and urging users to migrate their funds to new wallets. Blockchain security firm SlowMist estimates total potential losses could exceed $20 million, encompassing up to 129 million ADA.
How the exploit unfolded
The vulnerability lies in SecondFi's web wallet generation software, which allowed unauthorized access to private keys. Approximately 178 wallets were directly affected, with confirmed losses of around 16 million ADA (roughly $2.4 million) plus additional tokens and NFTs. However, SlowMist's assessment suggests many compromised wallets have not yet been drained but remain at risk, widening the potential damage. SecondFi has frozen user balances and entered maintenance mode, warning that any wallet generated through its compromised software may be vulnerable.
From Yoroi to SecondFi: a rebrand with baggage
SecondFi rebranded from Yoroi in April 2026. Yoroi was one of the most widely used light wallets in the Cardano ecosystem, developed by Emurgo, one of the three founding entities behind Cardano. The wallet was a staple for ADA holders seeking a lightweight self-custody solution. To compound the crisis, security researchers have flagged secondary scams targeting affected users, with scammers impersonating SecondFi support channels and offering fake recovery tools.
Implications for Cardano holders
For ADA holders, the immediate action is clear: anyone who used SecondFi or Yoroi's web wallet should generate new keys using a different provider and transfer their funds. No compensation timeline or detailed audit results have been released. A key question is whether Emurgo, SecondFi's parent organization and a Cardano founding entity, will step in to make affected users whole. The organization's response will signal how the Cardano ecosystem handles accountability when its own infrastructure fails.