SecondFi Is Shutting Down: Official EMURGO Recovery Update

EMURGO has shared a new update on the SecondFi security incident, including the patched vulnerability, wallet status checks, recovery work, hardware wallet migration paths, and confirmation that SecondFi will not resume normal operations.

In this video I break down what has been confirmed so far, what users should watch for next, and why official-channel verification and safer wallet migration matter right now.

Key points covered:

  • EMURGO says the identified vulnerability has been patched while further reviews continue.
  • Fund recovery and asset protection remain the immediate priorities.
  • A quarantine/status-check process is expected to help users verify whether their wallets were affected.
  • SecondFi is effectively ending in its current form.
  • Hardware wallet migration is now the practical path for users who want stronger custody hygiene.

Watch the update:

Official reference:

5 Likes

It’s genuinely sad to hear that a platform within the Cardano ecosystem is shutting down.
Since Yoroi was my very first wallet, I’ll certainly miss it. That said, I agree that security patches and asset recovery must be the top priority right now. I truly hope that all the affected community members can get their funds and assets back as soon as possible.

3 Likes

On the other hand I wanted to move to Lace anyways, the event just accelerated the change. NIGHT thawing was the only reason to stay with Yoroi.

1 Like

It is important now that the impact is better published and users of Yoroi get information about what they should do. E.g., on reddit there are lots of people confused by the messaging and going into a “distrust everything” mode.

What I still miss, is some information since when the vulnerability existed; from the very beginning or at some later point in time. That’s very important for long time users of Yoroi; they need to know if they are vulnerable or not.

There are different ways to secure your money; a checklist and given procedures would help. Even for people without HW wallet.

Same, I used Yoroi and did countless video tutorials on how to use the wallet in the early days. Sad times indeed.

1 Like

Vulnerability same about with the switch over to SecondFi.

A library was included which was experimental at best which lead to the hack being possible.

Users that interacted on SecondFi between the launch and the lock down could have been compromised.

Exposure only happens once you do a transaction.

All wallets, newly created and restored ones in the app are impacted.

16M funds were initally taken by the hacker.
129M by a white hat hacker.

It’s a process to identify who owns what and what assets go to which new wallets.

Hence they’re trying to get people to stick with secondfi/yoroi to funnel them through the recovery process.

16M is being put up by Emurgo, from what I understand, and the white hat hacker has the ability to send all the other funds back to users too.

I’m also somehow missing much more information about what happened when.

They still claim that only 16 million ADA were affected.


But I can see at least three addresses/accounts of the original attacker on 21st June:

https://adastat.net/accounts/52838a79eea0044f271721cd0fe5bbace5f97951a7195439336497c5: stake1u9fg8znea6sqgne8zusu6rl9hwkwt7te2xn3j4pexdjf03g4kw9uq/addr1q9j7f598x988unr4zhjulft205jqnn9ewgwkhes5smf2sr6jsw98nm4qq38jw9epe587twavuhuhj5d8r92rjvmyjlzs9lqc3x
https://adastat.net/accounts/1dde43d25831dd355bcdb5107d4718cd82a5a6c48e660e11dd2ab60c: 1dde43d25831dd355bcdb5107d4718cd82a5a6c48e660e11dd2ab60c/addr1q82jlp2u0ezv2hsf6f40fkrv49hd72yv442nmrr5qeultpqamepaykp3m564hnd4zp75wxxds2j6d3ywvc8prhf2kcxqn6nql3
https://adastat.net/accounts/8bd0c0f7889c00b3c77a856200b6d88f410d30195e99c15b6afe292f: stake1ux9aps8h3zwqpv7802zkyq9kmz85zrfsr90fns2mdtlzjtcm7jj8p/addr1q9wudkfeelzwev427yvapkmqexmet8q4vl303m7a4eerwtvt6rq00zyuqzeuw759vgqtdky0gyxnqx27n8q4k6h79yhsqelma8

All three became active in the exact same block at 2026-06-21 20:29:41 UTC, all three show the same pattern of emptying victim addresses, exchanging ADA for USDCx, and finally funneling those USDCx out.

As far as I can see, more than 16 million ADA went through these three addresses.


Then, there is this address/account:

https://adastat.net/accounts/15379180b22573b8397a7e576cead9af6a36cf2902ac8aa4b2f35161: stake1uy2n0yvqkgjh8wpe0fl9wm82mxhk5dk09yp2ez4ykte4zcgg2e9m5/addr1q8g8cgwqw98q2mrzrwgcy3wectdxwem8a8zp9r2mn6wjy7q4x7gcpv39wwurj7n72akw4kd0dgmv72gz4j92fvhn29ss7vuz99

First used 2026-06-22 17:34:04 UTC, around 130 million ADA were transferred through this one. Most plausible is that this is the one where Emurgo claims that they “rescued” user funds.

Interesting is that they then have to have known pretty exactly what the problem was already at that time, 12 hours before they posted this:

And it wouldn’t make much sense why they would give a different reason (web wallet generation) a couple of hours later then:


Finally, there is also this address which seems to have drained some vulnerable addresses, but never moved the 4 million ADA further:

https://adastat.net/accounts/2391d456761f8f76bc3a1743273d755468cf47ad2ed03b2aa9ed5405: stake1uy3er4zkwc0c7a4u8gt5xfeaw42x3n6845hdqwe248k4gpgdq4da5/addr1q8m5wdncq7rwum73r5cyyr82qx2xjem5k4ehapl3wy36aaerj829vasl3amtcwshgvnn6a25dr850tfw6qaj420d2szsslkku6

Only used from 2026-06-23 05:20:53 UTC until 2026-06-23 06:53:23 UTC. Maybe a copycat?

I’m not sure if this is good news or bad news, but it’s going to be quite difficult for SecondFi to rebuild trust in the community after that incident

2 Likes

There are many copycats now.

Security experts revealed how the hack was done and people vibe coded a copy cat hack.

I believe they’re allowing for the snapshot from the time they closed their app and put it in maintenance mode. Any funds after that were not done via SecondFi. May have been caused by if but users moving to another wallet would have exposed them at that point.

I suspect that is the reason why they capped it at 16M.

The other 129M is from the white hat hacker that worked out how it was being done and ‘saved’ the rest before the hacker could get more.

Watch out for the email scams too, thats draining people as well. That wouldn’t be covered with the recovery process.

I think it would be impossible, hence they’re shutting it all down.

Sad, they have been on Cardano with Yoroi from the beginning.

I heard that Levvy is shutting down too

Yeh, at least it’s not because of hacks or vulnerabilities. Due to better competition and products from Surf, FluidTokens and Liqwid. Better platforms and better returns attract users.