- SecondFi traced two attackers responsible for draining 374 Cardano wallets in three attack waves.
- A flagged wallet linked to the exploit still holds over 4 million ADA under active monitoring.
- The company secured 129 million ADA and launched audits to support recovery efforts.
Cardano wallet provider SecondFi has identified two attackers connected to a major security breach that drained approximately 16 million ADA from user wallets. The company disclosed new findings after a forensic investigation traced the exploit to coordinated automated attacks that affected hundreds of wallets between June 21 and June 23, 2026. Recovery efforts remain underway as investigators monitor stolen funds and strengthen platform security.
Investigation Reveals Two Coordinated Attackers
SecondFi confirmed that the attack unfolded in three separate waves and impacted 374 wallet addresses. According to the company’s findings, the attackers exploited a vulnerability related to wallet generation and private key creation, allowing them to gain unauthorized access to user funds.
The investigation identified two distinct attackers responsible for the theft. Attacker A carried out the first two waves of the exploit and successfully drained 171 wallets through automated operations. Meanwhile, Attacker B executed a third attack wave and compromised an additional 203 wallets using a similar method.
To increase transparency, SecondFi publicly disclosed wallet addresses and stake keys associated with both attackers. The company stated that publishing this information will assist ecosystem participants, investigators, and law enforcement agencies tracking the stolen assets.
— EMURGO (@emurgo_io) June 25, 2026
One wallet linked to Attacker B reportedly still contains approximately 4.02 million ADA. That address has been flagged and remains under active on-chain monitoring as investigators continue tracing fund movements.
The breach resulted in losses estimated at roughly $2.4 million based on current valuations. However, SecondFi emphasized that the attack was limited to affected wallets and did not compromise the broader Cardano network infrastructure.
Recovery Efforts Continue as Security Measures Expand
Following the discovery of the exploit, SecondFi activated emergency response procedures and moved its platform into maintenance mode. The company stated that engineers isolated the attack vector, deployed patches, and began working with independent cybersecurity firms to conduct comprehensive security reviews.
In addition, SecondFi reported securing approximately 129 million ADA through emergency containment measures. These assets were transferred to protected custody arrangements before attackers could gain access, significantly reducing the overall impact of the incident.
The company has established a dedicated restoration fund to support reimbursement efforts for affected users. Verification procedures are being prepared to ensure assets are returned securely and accurately.
SecondFi also warned users not to restore or migrate compromised wallets independently. According to the company, affected addresses should be considered permanently compromised due to the nature of the vulnerability.
Looking ahead, SecondFi plans to resume normal operations only after completing external audits and security assessments. The firm is also cooperating with authorities and industry partners to recover stolen funds and pursue those responsible for the attack.
Leave a Reply
You must be logged in to post a comment.