We aim to provide the latest update on our investigation into the exploit
As mentioned in our previous post, between June 21–23, 2026, a sophisticated, automated attack drained funds from multiple Cardano wallets. We now have identified and isolated the addresses of 2 attackers.
We are sharing them below with the community, for full transparency.
Attacker A (Waves 1 & 2)
Drained 171 wallets across two automated batches.
• Collection Wallet 1:
addr1q9j7f598x988unr4zhjulft205jqnn9ewgwkhes5smf2sr6jsw98nm4qq38jw9epe587twavuhuhj5d8r92rjvmyjlzs9lqc3x
• Collection Wallet 2:
addr1q9wudkfeelzwev427yvapkmqexmet8q4vl303m7a4eerwtvt6rq00zyuqzeuw759vgqtdky0gyxnqx27n8q4k6h79yhsqelma8
• Collection Wallet 3:
addr1q82jlp2u0ezv2hsf6f40fkrv49hd72yv442nmrr5qeultpqamepaykp3m564hnd4zp75wxxds2j6d3ywvc8prhf2kcxqn6nql3
• Central Fee/Change Address:
addr1q8acx4h5a38x6ekpsp0x7aelw6mflt78khmz8lz75rtnqvn07w88zx2e89tgzqr3x0mecngqlg87kq9surhk48hj79mqcezfa8
• Attacker Stake Key:
Stake1u9hl8rn3r9vnj45pqpcn8auuf5q05rltqzcwpmm2nme0zasf40ymg
Attacker B (Wave 3)
Drained 203 wallets in a separate automated sweep.
• Collection Wallet (⚠️ 4,020,468 ADA linked to the exploit remains in this address, which has been flagged and is under active monitoring and investigation):
•addr1q8m5wdncq7rwum73r5cyyr82qx2xjem5k4ehapl3wy36aaerj829vasl3amtcwshgvnn6a25dr850tfw6qaj420d2szsslkku6
• Attacker Stake Key:
stake1uy3er4zkwc0c7a4u8gt5xfeaw42x3n6845hdqwe248k4gpgdq4da5
Your Options for Securing Assets, and What’s Next
We recognize that some users may not have completed all steps in the Hardware Wallet Guidance posted in our knowledge base. If you are not technically proficient, we recommend waiting for the secure wallet export functionality, which is currently intended to launch next week.
Here is an update on upcoming options:
• This week: Quarantine mode
We will enable quarantine mode, which will let users check whether a wallet address appears in preliminary incident-related data and submit a support ticket with the relevant wallet address.
• Next week: Secure wallet export functionality
We intend to deploy secure wallet export as the next phase of quarantine mode. This is intended to provide a safer way for users of varying experience levels to move assets to a new wallet.
• On potential asset recovery
As stated previously, we intend to support a process relating to potential asset recovery for users whose wallets are confirmed through the applicable process. Any such process remains subject to further investigation, verification, eligibility criteria, applicable terms and conditions, and technical implementation.
It is currently expected to involve a recovery tool using zero-knowledge proofs, initiated by users through a portal, designed to help users remain in control of the process while protecting their information.
Again, if you are not technically proficient, we recommend waiting for these options to go live. For now, you may submit a ticket at https://t.co/bKfl8SK9D2.
We will continue sharing updates as progress is made.
⚠️ SecondFi Is Currently in Quarantine Mode
SecondFi is running in quarantine mode. It's the same application, but transactions are disabled. You can view your balance and wallet address only, you cannot send, swap, or move funds.
A screenshot is below so you know what to expect.
Please protect yourself from scams. Only download SecondFi from our official link: https://t.co/hkFtUebtxo
Do not accept download links from anyone else, including emails, messages claiming to be from SecondFi.
Chrome extension is live, app store is pending store approval.
Security Alert: Fake SecondFi Extensions and Apps
We've seen scammers create fake SecondFi browser extensions and apps. Please read this before you install anything or click any link claiming to be from us. There is no new application or link, it is the same.
Do not accept links from anyone, including people claiming to be SecondFi team members, support, or partners. We will not DM or email you links to download software, sign a transaction, or take any action with your assets. If you receive a message like that, it's a scam. Do not click it.
The only official SecondFi extension is "searchable" in the Chrome Web Store. If you see any other extension using the SecondFi name or branding, it's fake.
Check for the verified blue checkmark. Our official extension listing carries a blue verified check, shown in the screenshots below. If the listing you're looking at doesn't have it, do not install it.
Scammers can and do clone extensions and apps to steal funds. When in doubt, go directly to https://t.co/C5s1yFPlq1 and verify links yourself rather than trusting anything sent to you.
Please check carefully that you are using the correct application
SecondFi / Yoroi Wallet Guidance Sessions in Tokyo and Osaka
We are hosting dedicated in-person guidance sessions during for SecondFi and Yoroi Wallet users affected by the security incident.
Each session will include:
- A SecondFi / Yoroi update from our CEO
- A live Q&A with our specialists
- Migration guidance slides
Our team will answer your questions and walk you through best practices for securing your wallet, or safely migrating it using the secure wallet export functionality, which will be released soon.
Please note the guidance slides are informative only. We will not conduct 1:1 or hands-on wallet troubleshooting.
EVENT DETAILS:
📍 Tokyo: Melody Line Hall, 1F, WebX Venue
(The Prince Park Tower Tokyo, Minato City)
📅 Tuesday, 14 July 2026, 12:00 to 18:45 JST
Register here: https://t.co/wUwmLIEZbi
📍 Osaka: TKP Garden City Umeda Osaka
📅 Saturday, 18 July 2026, 12:00 to 17:45 JST
Register here: https://t.co/tpTZ5ZuHHY
Sessions are held in English and Japanese. Registration via Luma is required for both, and support is first-come, first-served.
Recovery Fund Address
Our commitment remains unequivocal: to support the return of assets to all affected wallet holders from the 4 distinct wallet draining events which we intend to return in their in their original form. Three of these events were executed by external threat actors resulting in a loss of ~16M ADA.
To return these assets to the victims of the attack, EMURGO has set up a recovery fund address. You can find it here:
addr1qyvvn9e9ulvzw2nvgkwraxwrla4a28l7gmduk7jru2rw9kdxkls8aczwgg8u44nj87uaq50rgcjulcxtzv9q8j0g2lss9kv2ss
Assets secured through our emergency rescue response, including those from the fourth event, are currently protected and accessible. These will form part of the recovery effort to return assets to affected users.
Important Security Reminder
SecondFi will NEVER request private keys, recovery phrases, or wallet credentials, and we will never DM you first.
Do not trust any checker, link, or account outside our official channels:
▪️ X accounts: @secondfiapp and @secondfi_jp
▪️ Support portal: https://t.co/bKfl8SK9D2
▪️ Asset recovery wallet checker: https://t.co/EGLOj6iKDl
The Asset Recovery Wallet Checker is now live.
You can now verify whether your wallet was affected by the incident.
The official checker is live at https://t.co/EGLOj6iKDl.
This is the only official checker. It is hosted on our https://t.co/C5s1yFPlq1 domain and shared only through @secondfiapp and @secondfi_jp.
- It will NEVER ask you to sign a transaction.
- Any tool that asks you to sign is not ours and should be treated as fraudulent.
This is phase one. In phase two, the checker will show whether your wallet has been affected, alongside an air-gapped transfer option to move assets securely.
Important Security Reminder
SecondFi will NEVER request private keys, recovery phrases, or wallet credentials, and we will never DM you first.
Do not trust any checker, link, or account outside our official channels:
▪️ X accounts: @secondfiapp and @secondfi_jp
▪️ Support portal: https://t.co/bKfl8SK9D2
▪️ Asset recovery wallet checker: https://t.co/EGLOj6iKDl
Please be vigilant. This is a scam.
SecondFi has NOT released a desktop app or any downloadable recovery software. Do not download anything claiming to be SecondFi. Do not "reclaim" assets through any app or link sent by email.
Important Security Reminder:
SecondFi will NEVER request private keys, seed phrases, wallet credentials, or request asset transfers under any circumstances.
These are the ONLY OFFICIAL SecondFi channels:
▪️ X accounts @secondfiapp and @secondfi_jp
▪️ Support portal: https://t.co/bKfl8SK9D2
We will never DM you first. Any message instructing you to move assets or submit wallet information outside of our verified official channels should be treated as fraudulent.
⚠️ IMPORTANT SECURITY REMINDER
These are the ONLY OFFICIAL SecondFi channels:
▪️ X accounts @secondfiapp and @secondfi_jp
▪️ Support portal: https://t.co/bKfl8SJBNu
We will never DM you first or ask for your recovery phrase.
Any other account is a scam account.
If you come across a fake account or suspicious message, please report it to X. The screenshots below show known impersonator accounts to watch for.
Stay alert, and only trust updates from our official channels.
🛡 Recovery Process Update
Today, we want to share an update across three areas:
⚙️ Returning user assets
⚙️ Moving user assets safely
⚙️ Onchain recovery
1. Returning User Assets
- Drained by the attackers: @emurgo_io has funded an Asset Recovery Wallet specifically to return assets to users whose wallets were compromised in the attack.
- Secured through our emergency rescue response: These assets are currently protected and accessible. We are in discussion with @IntersectMBO on the appropriate custody mechanism to ensure they are held securely and returned to users.
2. Moving Your Assets
Our initial guidance was to stay put which was a deliberate step while we worked to fully understand the attack vector and avoid exposing users to further risk. Following active discussions with the Intersect Security Council, should you decide to move your assets, we recommend creating a new wallet using a hardware wallet only. A hardware wallet is the most secure option available.
Important: However, users should NOT delete the SecondFi app under any circumstances. We strongly advise users to retain BOTH the app and their seed phrase, as they will be required to support the asset recovery process currently underway.
3. Onchain Recovery
Our team is actively progressing an on-chain recovery solution designed to support the secure return of user assets. Extensive technical assessment has identified this as the most secure and efficient recovery pathway currently available.
We are now working closely with a Cardano community-led task force to develop, validate and execute this solution securely.
This process is more complex than originally anticipated and may require additional time beyond our previously estimated 2-week timeline.
We will continue providing updates as progress continues.
Important Security Reminder:
SecondFi will NEVER request private keys, seed phrases, wallet credentials, or request asset transfers under any circumstances. We will never DM you first.
Any message instructing you to move assets or submit wallet information outside of our verified official channels should be treated as fraudulent. Our official channels are our verified SecondFi X account and https://t.co/bKfl8SK9D2.
For support, please submit a ticket only through our official support channel at: https://t.co/bKfl8SK9D2
Thank you for your continued trust as this work continues.
⚠️ Security Alert: Fake Support Emails and Websites
We are seeing fraudulent support emails and fake websites impersonating SecondFi to target affected users. Do not respond, do not click any links, and do not enter your details.
SecondFi does not provide support through Gmail or any personal email account, and our only official domain is https://t.co/C5s1yFPlq1. Always check the address carefully and do not trust links shared with you.
SecondFi will never email, DM, or message you first, and we will never ask for your private keys, recovery phrases, or wallet credentials.
Do not trust any checker, link, or account outside our official channels:
▪️ X accounts: @secondfiapp and @secondfi_jp
▪️ Support portal: https://t.co/bKfl8SK9D2
▪️ Asset recovery wallet checker: https://t.co/EGLOj6iKDl
Hardware Wallet Migration Guide
We have published a step-by-step guide to help users securely move their assets to a new hardware wallet, the most secure option for self-custody.
Before you start, keep these in mind:
- If you already use a hardware wallet, no action is required. Hardware wallet users were not affected by this incident.
- Do not delete the SecondFi app, and keep your seed phrase safe. Either one will be required to claim your assets through the recovery process.
- Stop using your existing wallet. Do not send, receive, sign, or stake from it.
The full step-by-step guide, including how to test with a small amount before moving your balance, is available here: https://t.co/B3RrzI83hx
Important Security Reminder
SecondFi will NEVER request private keys, seed phrases, wallet credentials, or request asset transfers under any circumstances. We will never DM you first.
Any message instructing you to move assets or submit wallet information outside of our verified official channels should be treated as fraudulent. Our official channels are @secondfiapp, @secondfi_jp, and https://t.co/bKfl8SK9D2.
For support, please submit a ticket only through our official support channel at: https://t.co/bKfl8SK9D2
🛡 Recovery Process Update
Your assets remain safe. Our team's full focus is on recovery. Here is where things stand today:
How do I check if my wallet is affected?
The asset recovery wallet checker is now live: https://t.co/EGLOj6iKDl
This is the only official checker, hosted on our https://t.co/C5s1yFPlq1 domain and shared only through @secondfiapp / @secondfi_jp. It is prepared on a best-efforts basis. It will never ask you to sign a transaction. Any tool that does is a scam.
This is phase one. In phase two, the checker will show whether your wallet has been affected, alongside an air-gapped transfer option to move assets securely.
I am not affected, what are my options?
If you wish to migrate, we recommend moving your assets to a newly created wallet using a hardware wallet only. We will release clear, step-by-step migration instructions to guide you through this.
I am affected, what do I do?
We are working on an onchain recovery tool. For now, submit a ticket at https://t.co/bKfl8SK9D2 and keep your app and seed phrase safe. Recovery instructions will only be released once the Intersect Security Council has completed its review.
How do I recover my assets?
Our teams are working with the smartest minds in Cardano, who have dropped everything to work on this incident, to develop an onchain claims portal. Which is now in preview mode and will be released soon.
Understanding what happened
Several auditors and independent experts are analysing onchain activity and validating our findings. Reports are coming, and we intend to share relevant reports once finalised. We cannot share findings before then, as doing so may cause further issues.
How do I make a claim?
If you want to make a claim, submit your ticket at https://t.co/bKfl8SK9D2.
Please remember:
DO
- Keep the SecondFi app installed
- Keep your seed phrase safe
- Use only https://t.co/EGLOj6iKDl to check your wallet
- Submit a ticket at https://t.co/bKfl8SK9D2
DON'T
- Delete the SecondFi app
- Share private keys, recovery phrases, or wallet credentials with anyone
- Trust any checker, link, or account outside our official channels
- Act on messages telling you to move assets or submit wallet information
SecondFi will NEVER request private keys, recovery phrases, or wallet credentials. No recovery actions requiring user participation have begun. @secondfiapp / @secondfi_jp remains the official channel for all updates.