Image Credit: Shutterstock
SecondFi has traced a Cardano wallet exploit to an address-level flaw in its native web wallet generation software, after attackers drained about 16 million ADA from hundreds of addresses.
The wallet operator said it patched unaffected wallets and moved about 129 million ADA to a third-party custodian while it prepares a claims process for users.
Attackers Drained 16M ADA From 374 Addresses
SecondFi said four draining events occurred during the incident. Three were carried out by external threat actors and caused losses of about 16 million ADA across 374 addresses.
That puts the confirmed external loss near $2.4 million, based on an ADA price around $0.15.On-chain investigators have pointed to a larger risk pool, with estimates above 129 million ADA when rescued and exposed funds are included.
Technical Review Will Set Final Impact
SecondFi has not released a full post-mortem. The company said an independent technical review is being finalized to validate its findings and define the final impact.
Until that review is complete, the confirmed external loss remains about 16 million ADA, while the broader exposure includes funds rescued during the incident.
Seed Phrase Recovery Will Not Remove Risk
SecondFi said the issue sits at the address level, not in Cardano’s base protocol. The risk appears when an affected user signs a transaction. The company warned users not to restore the same recovery phrase into another Cardano wallet.
Moving the phrase to new software would still leave the same address exposed. That guidance matters because the suspected flaw sits in wallet generation, not in phishing or a compromised front end.
Claims Process Replaces Wallet Recovery
Users with affected addresses are being told to follow SecondFi’s claims process rather than trying to recover funds through another app. For users, the distinction changes the recovery path.
Restoring the same seed phrase may recreate access to the same exposed address instead of removing the underlying risk. SecondFi said it will provide further instructions as the review and custody process move forward.
129M ADA Routed to Custodian
SecondFi said it triggered emergency rescue measures during the active exploit and secured about 129 million ADA that remained available.
Those funds are being routed to an independent, qualified third-party custodian for affected wallet addresses. The company said it has engaged an external accounting firm to verify the holdings before users can claim assets.
Cardano Protocol Was Not the Entry Point
SecondFi said the issue was not in Cardano’s base protocol and pointed instead to its wallet generation flow. That puts attention on wallet infrastructure in the Cardano ecosystem because the suspected weak point came from software used to create and secure user addresses.
The platform also placed affected functions in maintenance mode while its engineering team works to restore normal operations. Unaffected wallets have received a patch, but SecondFi said users should follow official guidance while the review continues.
The next step is the audit and claims process. Until SecondFi publishes a final post-mortem, the confirmed impact remains 16 million ADA lost to external attackers, with a far larger amount held for possible return.
