SecondFi Dev

We aim to provide the latest update on our investigation into the exploit As mentioned in our previous post, between June 21–23, 2026, a sophisticated, automated attack drained funds from multiple Cardano wallets. We now have identified and isolated the addresses of 2 attackers. We are sharing them below with the community, for full transparency. Attacker A (Waves 1 & 2) Drained 171 wallets across two automated batches. • Collection Wallet 1: addr1q9j7f598x988unr4zhjulft205jqnn9ewgwkhes5smf2sr6jsw98nm4qq38jw9epe587twavuhuhj5d8r92rjvmyjlzs9lqc3x • Collection Wallet 2: addr1q9wudkfeelzwev427yvapkmqexmet8q4vl303m7a4eerwtvt6rq00zyuqzeuw759vgqtdky0gyxnqx27n8q4k6h79yhsqelma8 • Collection Wallet 3: addr1q82jlp2u0ezv2hsf6f40fkrv49hd72yv442nmrr5qeultpqamepaykp3m564hnd4zp75wxxds2j6d3ywvc8prhf2kcxqn6nql3 • Central Fee/Change Address: addr1q8acx4h5a38x6ekpsp0x7aelw6mflt78khmz8lz75rtnqvn07w88zx2e89tgzqr3x0mecngqlg87kq9surhk48hj79mqcezfa8 • Attacker Stake Key: Stake1u9hl8rn3r9vnj45pqpcn8auuf5q05rltqzcwpmm2nme0zasf40ymg Attacker B (Wave 3) Drained 203 wallets in a separate automated sweep. • Collection Wallet (⚠️ 4,020,468 ADA linked to the exploit remains in this address, which has been flagged and is under active monitoring and investigation): •addr1q8m5wdncq7rwum73r5cyyr82qx2xjem5k4ehapl3wy36aaerj829vasl3amtcwshgvnn6a25dr850tfw6qaj420d2szsslkku6 • Attacker Stake Key: stake1uy3er4zkwc0c7a4u8gt5xfeaw42x3n6845hdqwe248k4gpgdq4da5

Important Security Update. As stated, we have identified the root cause of the incident. It is at the address level. The affected software signer used a deterministic nonce derivation flaw. Every time an address signed a transaction, it leaked enough information to mathematically reconstruct that address's private key from public blockchain data alone. If you were affected by the attack, your first/default address (index 0) is almost certainly exposed. It is the address that some wallets may be using by default or as the only address at all, and nearly always has transactions. That history is all an attacker needs. Please DO NOT RESTORE your recovery phrase into another Cardano wallet. This does not mitigate the security risk. Your keys are derived from your recovery phrase, not from the app. Restoring the same phrase into another wallet recreates identical addresses with identical exposure. The compromised thing is the key of the compromised address(es), not the interface you are using. If you were affected by the attack, and use any of your compromised address(es) to deposit it could be drained again. This includes withdrawing staking rewards even using another wallet. Reward withdrawal and delegation are signed with the stake credential. The withdrawn funds could be routed to your first/default address (as indicated above), which has a high chance of being compromised (wallets work differently managing it). Mempool-monitoring adversaries can front-run or sweep your assets on confirmation. There has been conflicting advice from community members in an attempt to be helpful. Do nothing until official steps come from SecondFi. We are working to facilitate the verification process so users can claim back their assets safely. Following the above is very important, if not it makes verified claims more difficult. The only thing you should do right now is submit a ticket at https://t.co/bKfl8SK9D2 We will never DM you first or ask for your recovery phrase.

⚠️ As stated, we have identified the root cause, it is at the address level. Please DO NOT RESTORE your recovery phrase into another Cardano wallet, this does not mitigate the security risk. The security risk occurs when an affected user signs a transaction. In addition, we are working to facilitate the verification process so users can claim back their assets safely so the above is very important, as it makes claims more difficult. There has been conflicting advice from different community members in an attempt to be helpful. Do nothing until official steps come from SecondFi. The only thing you should do is submit a ticket at https://t.co/bKfl8SK9D2. We will never DM you first or ask for your recovery phrase.

As per our previous post: https://t.co/LGhovIoI3T We have identified the root cause and have since rolled out a patch for all unaffected wallets. This will allow us to resume normal operations soon. ----- Regarding affected wallets, 4 distinct draining events occurred. 3 were executed by external threat actors, resulting in a loss of ~16m ADA across 374 addresses. To prevent total loss during the active exploit, emergency rescue measures were triggered to secure the available ~129m ADA and continues to be routed to an independent, qualified third-party custodian, where they are held securely for the benefit of the affected wallet addresses. An external accounting firm has been engaged for a special audit to independently verify those holdings. We are working to facilitate the verification process so users can claim back their assets safely. Affected users should submit their claim at https://t.co/bKfl8SK9D2 We take this incident seriously and are working to ensure all assets are returned to affected users as soon as possible. As stated, we have identified the root cause, it is at the address level. Please DO NOT RESTORE your recovery phrase into another Cardano wallet, this does not mitigate the security risk. The security risk occurs when an affected user signs a transaction. Further explanation to follow.

To provide more clarity, we have identified the nature of the incident, it is at the address level. The security risk affects wallet users when a transaction is signed. Therefore recovery to another platform or wallet does not mitigate the risk. 🚨 DO NOT restore your recovery phrase into a new Cardano wallet. We have isolated the affected wallets and will post mitigation steps shortly.

There has been conflicting advice from different community members in an attempt to be helpful. ⚠️ DO NOT RESTORE your recovery phrase into a new Cardano wallet. As advised, do nothing until official steps come from SecondFi. The only thing you should do is submit a ticket at https://t.co/bKfl8SK9D2. We will never DM you first or ask for your recovery phrase.

🚨 SECURITY UPDATE: Root Cause & Blast Radius Confirmed We have isolated the root cause of the recent security incident. The issue was confined to our native Cardano web wallet generation software. Our team has completed an onchain analysis to determine the scope of impact, and we are now finalizing an independent technical review with a leading blockchain security firm to validate our findings.

By collaborating with these ecosystem leaders, we are monitoring exchange touchpoints, and minimizing the impact on other protocols. Cardano stands together. We are grateful for the support of the ecosystem and will continue to provide updates as our investigation and recovery efforts progress.

🚨 An Important Security Update from the SecondFi Team We identified a security issue impacting a small number of Cardano wallets on our platform. We have contained the issue and paused the affected functions. Our engineering teams are actively working to restore full functionality to the platform. To protect our users, SecondFi has been temporarily placed into maintenance mode. All front-end interactions are paused.

⚠️ What You Need to Know Right Now: While SecondFi is in maintenance, you will not be able to undertake transactions. Beware of Scammers: We are seeing an immediate surge in fake "support" accounts and impersonators. Official Channels Only: SecondFi team members will NEVER DM you first, ask for your seed phrase, or request fund transfers. All official support is handled strictly through logged tickets at https://t.co/C5s1yFPlq1. Thank you for your patience and we will provide regular updates as we make progress.

Self-custody puts you in control of your funds. It also means the safety part is on you. Worth running through the basics: ▪️ Your recovery phrase stays with you. Nobody needs it, including us. Anyone who asks for it is trying to drain you. ▪️ You approve every transaction yourself, so actually read it first. Wrong amount, or an address you don't recognize? Don't sign. ▪️ Onchain, there's no undo button. The few seconds you spend checking the address are the only protection you get. Need help? One portal: https://t.co/C5s1yFPlq1. There is no support on X. Anyone in your replies or DMs offering to recover your funds is running a scam.