SecondFi Recovery Clock: How a Cardano Wallet Bug Became a Seed-Phrase Safety Story
16M ADA drain linked to a SecondFi wallet flaw, with 3,072 victims and a 129.43M ADA vault tracked on-chain. Final snapshot on June 26; recovery in two weeks.
Picture this. You wake up, open your Cardano wallet, and the balance you checked last night is gone. Not a dust attack.
Not a misclick. Just empty. That was the reality for hundreds of SecondFi users over one long June weekend.
By midweek, a wallet-generation bug had morphed into something bigger: a seed-phrase safety story. People assumed importing their phrase into a different app would save them. It didn’t.
The exposure sat at the address level and came back the moment an affected address signed anything. SecondFi and EMURGO moved into triage mode. On-chain data started painting a clearer picture, and a recovery clock began to tick.
SecondFi disclosed a Cardano wallet-generation vulnerability after coordinated drains between June 21 and June 23, 2026. Initial tallies pointed to roughly 16 million ADA taken from 374 addresses across three main drains, according to early reporting by CoinDesk. That was the first pass.
Forensics widened the lens. Wallet bugs break trust fast. Seed handling decides whether a bad week becomes a bad year.
Bitquery’s reconstruction identified two waves and a large consolidation address, with a second-wave vault holding 129,430,001 ADA by June 23. Their work also logged roughly 3,072 victim wallets swept across both waves, far beyond the first estimate of impacted addresses. See the on-chain write-up from Bitquery.
Here’s the kicker from both Bitquery and SecondFi: the flaw was address-level. Importing an affected recovery phrase into a different Cardano wallet did not eliminate risk. The risk showed up when an affected address signed a transaction at any time, per the joint warning captured in Bitquery’s report and SecondFi’s updates (Bitquery / SecondFi).
What Actually Went Wrong in SecondFi’s Wallets SecondFi has referred to a wallet-generation vulnerability. That points to issues around how addresses or keys were derived, stored, or used during signing. We don’t need the exact line of code to understand the blast radius: if an addres
Đọc thêm từ Tiền số / Crypto
Roberto Martínez criticized for benching Rafael Leão in World Cup
Martnez's decision impacts AC Milan's $ACM fan token value, highlighting the intersection of player visibility and crypto market dynamics. The post Roberto Martínez criticized for benching Rafael Leão in World Cup appeared first on Crypto Briefing.
Grayscale says Strategy’s $3B BTC sale could calm markets
Grayscale’s Zach Pandl says Strategy selling over $3B in BTC may restore confidence as STRC pressure raises dividend concerns for investors.
Brazil Proposes Mandatory 24-Hour Hold on Large Crypto Stablecoin Transactions
The 24-hour hold period would allow virtual asset service providers to screen the transactions and verify the legitimacy of the funds moved. The funds could be released in a shorter timeframe, provided that the risks associated with the transaction are mitigated. Central Bank of
XRP and HYPE Keep Winning the ETF Race as SOL Joins BTC and ETH
Thursday was particularly positive days for the spot ETFs tracking Hyperliquid's token.