SecondFi, a Cardano wallet platform, suffered a major breach on Tuesday which jeopardized the safety of over $20 million. SecondFi, in an update shared on Wednesday, admitted that the over $2 million have definitely been stolen in the form of 16 million ADA tokens. However, the stakes were much higher. Atleast 129 million ADA tokens estimated to be almost $20 million were at risk in the duration of this attack.
A vulnerability in its proprietary wallet generation software was exploited as an entry point into SecondFi’s ecosystem, the platform said basis the internally conducted preliminary investigation.
Detailing the incident SecondFi said that three draining events were executed by external threat actors, resulting in a loss of 16 million ADA across 374 addresses. At the time of writing, Cardano was trading at $0.15 bringing the valuation of 16 million ADA to $2.4 million.
“To prevent total loss during the active exploit, emergency rescue measures were triggered to secure the available ~129m ADA and continues to be routed to an independent, qualified third-party custodian, where they are held securely for the benefit of the affected wallet addresses,” the protocol said ensuring that over $20 million worth of risked tokens have been secured.
Cardano-based Yoroi Wallet, which was originally created by EMURGO in 2018, was rebranded as SecondFi in April this year. It went from being a single-chain light Cardano wallet to a full-scale neo-finance app. EMURGO is the official commercial arm and a founding co-entity of the Cardano blockchain. This shows that the exploited platform has strong, deep roots into the Cardano ecosystem which subsequently means that the attackers managed to hit the network in a rather audacious attempt.
Users who suffered losses under the incident have been asked to submit their claims at a dedicated SecondFi portal. Upon verification of the victims the platform said all assets should be returned to the affected users.
“We are working to facilitate the verification process so users can claim back their assets safely,” the platform noted.
This incident comes just a day after Ethereum-based L2 blockchain Taiko was exploited for $1.7 million. Last week, the Axelar Network was exploited for $4.6 million and the Aztec Network was breached twice leading to losses exceeding $2 million.
Multiple research reports claim that over $840 million have already been stolen from the DeFi ecosystem within the first six months of 2026 — raising serious questions over the present state of security on these ecosystems.
