EMURGO intends to begin returning funds to victims of the SecondFi hack within the next two weeks.
EMURGO CEO Phillip Pon announced that the company has developed a mechanism to return funds to users affected by the attack on the SecondFi wallet. Payouts are expected to launch in approximately two weeks. The exploit affected 374 addresses, from which about 16 million ADA were withdrawn.
Recovery Plan and Security Measures
This week, the team will focus on building the infrastructure for the return, and the following week will be dedicated to testing. SecondFi strongly recommends that users do not take any actions with their assets and follow only official instructions. It is particularly emphasized that the service never requests private keys, seed phrases, or access to wallets — this is a standard precaution against scammers who become active in the wake of such incidents.
Timeline of the Attack and Scale of Damage
According to SecondFi, between June 21 and 23, there were four episodes of unauthorized fund withdrawals. In three of them, external attackers stole approximately 16 million ADA (at the time worth about $2.4 million) from 374 wallets. During the fourth incident, the team urgently transferred about 129 million ADA to an independent custodian to isolate the assets from further attacks. Verification of these funds is currently being conducted by an external auditing firm.
Analysts identified two wallets linked to the attackers: one appears in 171 compromised addresses, the second in 203. About 4 million ADA related to the theft are located at a flagged assembly address and remain under surveillance. Law enforcement agencies have already been notified.
Technical Details of the Hack
An independent report from Tibane Labs offers an alternative version of the causes of the vulnerability. According to their analysis, the problem was not a nonce reuse but an Ed25519 signature error. The company claims that on June 8, an unaudited trantor SDK published on npm by an independent developer replaced the previously used verified EMURGO signing module. According to Tibane Labs' assessment, only one signed transaction was enough to recover the private key. EMURGO has not yet published a full technical post-mortem or given a public response to these findings.
Context and Expert Analysis
The SecondFi wallet (formerly known as Yoroi) has long been one of the key tools in the Cardano ecosystem, and EMURGO is one of the three founding organizations of the network. This incident occurs against the backdrop of alarming statistics: in the second quarter of 2026, the crypto industry set an anti-record for the number of hacks — 83 cases with total damages of $755.3 million.
My comment: The situation around SecondFi is a classic example of how even in mature ecosystems like Cardano, trust in fundamental tools can be undermined due to errors in the software supply chain. The fact that EMURGO has not yet provided a detailed technical analysis raises questions, especially in light of Tibane Labs' findings. Users should be extremely cautious: fund recovery is only the first step, and restoring trust will require full transparency from the developers.