Picture this. You wake up, open your Cardano wallet, and the balance you checked last night is gone. Not a dust attack. Not a misclick. Just empty. That was the reality for hundreds of SecondFi users over one long June weekend.

By midweek, a wallet-generation bug had morphed into something bigger: a seed-phrase safety story. People assumed importing their phrase into a different app would save them. It didn’t. The exposure sat at the address level and came back the moment an affected address signed anything.

SecondFi and EMURGO moved into triage mode. On-chain data started painting a clearer picture, and a recovery clock began to tick.

SecondFi disclosed a Cardano wallet-generation vulnerability after coordinated drains between June 21 and June 23, 2026. Initial tallies pointed to roughly 16 million ADA taken from 374 addresses across three main drains, according to early reporting by CoinDesk. That was the first pass. Forensics widened the lens.

Wallet bugs break trust fast. Seed handling decides whether a bad week becomes a bad year.

Bitquery’s reconstruction identified two waves and a large consolidation address, with a second-wave vault holding 129,430,001 ADA by June 23. Their work also logged roughly 3,072 victim wallets swept across both waves, far beyond the first estimate of impacted addresses. See the on-chain write-up from Bitquery.

Here’s the kicker from both Bitquery and SecondFi: the flaw was address-level. Importing an affected recovery phrase into a different Cardano wallet did not eliminate risk. The risk showed up when an affected address signed a transaction at any time, per the joint warning captured in Bitquery’s report and SecondFi’s updates (Bitquery / SecondFi).

What Actually Went Wrong in SecondFi’s Wallets

SecondFi has referred to a wallet-generation vulnerability. That points to issues around how addresses or keys were derived, stored, or used during signing. We don’t need the exact line of code to understand the blast radius: if an address created under that process was flawed, the private key protecting it was not reliably safe. Using it later, anywhere, could expose funds.

Address-level vs seed-level failure

A seed-level failure would poison every account derived from the phrase. An address-level failure can be sneakier. You might have one or more addresses created under unsafe conditions, while others under the same seed look fine. But the moment one of those compromised addresses signs a transaction, you risk a sweep.

This is why the official guidance was so specific. Bitquery and SecondFi both warned that simply re-importing your phrase into another wallet does not neutralize the problem. The vulnerability sits with the address history and signature path, not the user interface (Bitquery / SecondFi).

So what can a user actually do?

If you used SecondFi and think you were affected, the safest posture is to stop interacting with any address generated during the exposure window. Do not sign from those addresses. Do not test with small amounts. Treat them as hot until proven otherwise by the forensic process and the vendor’s recovery plan.

  1. Pause all activity from potentially affected addresses. Do not sign anything from them.
  2. Generate a brand-new Cardano wallet using a trusted path and a fresh seed phrase you’ve never used before.
  3. Wait for SecondFi and EMURGO’s recovery workflow if your funds were already drained. If you still hold ADA on addresses you suspect are affected, seek vendor-specific instructions before moving. The act of signing could be the trigger.
  4. Record your new seed phrase offline. Do not import it into multiple places. Keep it segmented from older, possibly exposed environments.

There are no magic buttons here. It’s posture, patience, and clean operational hygiene.

How the Drains Unfolded On-Chain

We have two versions of the same story: the early snapshot and the full mosaic after investigators traced flows.

Numbers that moved as the picture filled in

Initial loss counts centered on 16 million ADA across 374 addresses in three drains (CoinDesk). Bitquery’s deeper pass mapped two main waves and identified a large consolidation address that held 129,430,001 ADA by June 23, plus a much higher tally of impacted wallets, around 3,072 across both waves (Bitquery). Those totals cover traces that go beyond the earliest surface accounting.

A short timeline from disclosure to recovery planning

Date (2026) Event Source June 21–23 Coordinated draining events tied to a wallet-generation flaw; multiple sweeps observed CoinDesk, Bitquery June 24 Broader on-chain picture emerges; second-wave vault shows ~129.43M ADA; ~3,072 victims identified across waves Bitquery June 26 EMURGO/SecondFi complete forensics and take a final balance snapshot to anchor recovery The Block June 27 Recovery roadmap published, aiming to begin returning funds in roughly two weeks The Block

Who exactly was in the blast radius?

If you’re wondering why 374 addresses and ~3,072 victims both exist in the reporting, it comes down to scope and timing. Early counts often focus on the first clearly linked clusters. Later forensics sweep in secondary paths and consolidations. Addresses, wallets, and users are not one-to-one. Many users hold multiple addresses, and attack clustering can blur lines. Treat both numbers as parts of the same unfolding map, not contradictions.

Why Seed-Phrase Safety Took Center Stage

The most counterintuitive piece of this saga is that switching wallet apps does not fix a bad past. If an address was born under a flawed process, the danger travels with it. You can install the most audited software on the planet. If you import the same phrase, then sign from a previously compromised address, you could be right back in the blast zone. This was the heart of the SecondFi warnings captured in the Bitquery report (Bitquery / SecondFi).

What safe looks like from here

Think in layers. Your choice of wallet matters, sure. But your operational flow matters more. When you suspect any exposure, you rotate.

Action What it solves Caveats Create a brand-new wallet with a fresh seed phrase Segregates future activity from any historic address exposure Does not recover past …

Mənbə: cryptodaily.co.uk →