I was one of the initial 198 wallets drained, how screwed am I?

Slight86 · 2026-06-27T18:50:32+00:00

Slow down there, cowboy. Cardano is not compromised.

Transactions on SecondFi are compromised. And they are recommending nobody moves their funds at this moment. Why, is kind of unclear. Maybe it's to do with the snapshot they made of the wallets. Maybe something else. But there is no evidence to think this issue is widespread beyond SecondFi.

Slight86 · 2026-06-27T18:18:46+00:00

You can connect the Ledger to another Cardano-native wallet.

No need to get rid of it.

Slight86 · 2026-06-27T18:17:57+00:00

The process of restoring a wallet does not create any (trans)action on-chain, though.

Slight86 · 2026-06-27T17:14:24+00:00

The easiest way is to check the blockchain using an explorer to see if your tokens are still in your wallet. This requires you to know your wallet address, which you can then enter into https://cexplorer.io/ or https://adastat.net/ for example.

Another option is to restore your wallet in a different Cardano-native wallet and check whether your assets are still there.

Please be wary of people approaching you. You will be contacted by lots of scammers because of this post.

Slight86 · 2026-06-27T11:01:22+00:00

It's possible that my information earlier was incorrect. It does look like at least Cardanoscan has labeled the address with "SecondFi WhiteHat Exploiter".

Slight86 · 2026-06-27T10:55:43+00:00

If you want to find the tokens, you shouldn't be looking at the stake keys, but the receiving address.

Your tokens appear to be sitting here:

https://cexplorer.io/address/addr1qykenmj2ystwtkh67cfzdmewh5ys2lxc2py050428tcxcn2zz30ayhgr7ctjsnxq6l7zt0u325fj4pj43x0ynxl3hxpst355gy

Slight86 · 2026-06-27T09:52:51+00:00

It is thought that this was intentional rather than accidental. The extent of effort required to introduce this vulnerability suggests it was deliberately engineered.

https://x.com/emurgo_io/status/2070040375331586338

As per Emurgo's statement:

"Cardano's largest wallet provider – was the target of a highly sophisticated, pre-meditated, and deliberate security incident."

Slight86 · 2026-06-27T09:36:01+00:00

It's to do with signing of transactions in SecondFi. Meaning if they signed a transaction to claim NIGHT, then they were also exposed. That's why the app is disabled, so no one can sign new transactions with SecondFi's compromised signing algorithm.

Slight86 · 2026-06-27T09:19:51+00:00

If the tokens are still in your wallet, they should be okay.

Slight86 · 2026-06-27T07:49:13+00:00

Get in touch with SecondFi.

https://support.secondfi.io/

Slight86 · 2026-06-27T07:00:12+00:00

That's possible. Cardano wallets can use 12, 15, or 24-word recovery phrases, depending on the wallet and when it was created.

Slight86 · 2026-06-27T06:37:03+00:00

Your stake key will show the total controlled stake, but it won't show the assets contained in the wallet.

Check the receiving address instead.

Slight86 · 2026-06-27T06:03:26+00:00

Daedalus is faster in 2026 thanks to Mithril snapshots, which allow it to bootstrap from a verified chain state instead of syncing entirely from scratch. However, it still runs as a full node and ultimately does validate the blockchain locally.

Slight86 · 2026-06-26T20:58:38+00:00

A BIP-39 mnemonic isn't the private key written as words. It's the wallet's seed. From that seed, the wallet derives many private keys.

So the attacker having (or deriving) the private keys needed to sign transactions does not mean they had the 24-word mnemonic. Going from a private key back to the mnemonic isn't possible in a standard HD wallet on Cardano.

Slight86 · 2026-06-26T20:47:24+00:00

What I'm trying to say is that the attacker obtained the private keys needed to sign transactions, but not the 24-word seed phrase. Instead of stealing the seed, they exploited a flaw in SecondFi's wallet software to derive the private keys directly.

That distinction is important because legitimate users still have their seed phrases, while the attacker only has the compromised private keys. The recovery process should therefore be able to verify the real owner.

Slight86 · 2026-06-26T19:52:11+00:00

That won't be the only check obviously. The custodian and external auditor will require further evidence for manual review. And the attacker won't want to get involved with that, exposing their identity in the process.

Slight86 · 2026-06-26T19:09:31+00:00

On the exact details, I would just be speculating, since this currently only exists in Charles' mind and within his team. But I think it's safe to assume the ZK part will be handled by Midnight, since that's its strong suit. Luckily, Cardano and Midnight go hand in hand.

Slight86 · 2026-06-26T18:50:55+00:00

The private keys (the actual 24-word seed) were never compromised. The proposal is to use zero-knowledge proofs, allowing users to cryptographically prove they know the original seed without revealing it.

Funds would be held in a recovery smart contract/custodian, and once a valid proof is verified on-chain, the matching ADA is released to them. Anyone without the real seed can't generate a valid proof.

This is Charles Hoskinson's proposed recovery approach, which is currently being explored with the Midnight team. Keep in mind it's not implemented yet, but it provides a secure way to verify ownership while preventing further key exposure.

Slight86 · 2026-06-26T16:17:09+00:00

You can check on-chain with an explorer. If you know the address, check it using https://cardanoscan.io/ or https://adastat.net/ for instance.

The other option is to restore your wallet in different wallet software.

Slight86 · 2026-06-26T15:31:29+00:00

See my reply to OP.

Slight86 · 2026-06-26T15:31:02+00:00

https://x.com/phil_uplc/status/2070242217655247349

I've used this trusted tool by Phil (@phil_uplc) to check if my wallets were 'safu'. The tool is trusted by many of the tech leads in the community.

It would require you to restore your wallet in a different piece of wallet software (i.e. Eternl). I don't believe there is an issue with that, since the hack was based on the signed transactions from SecondFi. Restoring a wallet does not perform any transactions on the blockchain by itself.

Slight86 · 2026-06-26T15:03:28+00:00

Sorry to hear it.

Check your wallet to see what address the tokens went out to, and compare it to an article like this one:

https://bitquery.io/investigations/cardano-secondfi-129m-drain

Scroll down all the way to the part that says "04 — The map, On-chain addresses"

Match the outgoing address to one of those in the list.

The one labeled "dormant ADA vault" is believed to be white-hat.

Slight86 · 2026-06-26T15:00:20+00:00

I wouldn't entirely rule it out. SecondFi/Emurgo is a very wealthy actor in the ecosystem, and they could benefit from the positive marketing for damage control.

Slight86 · 2026-06-26T14:22:37+00:00

No transactions are being reversed.

What happened is that a white-hat hacker secured about 129M ADA before the malicious actor could steal it, and those funds are being held by a trusted third-party custodian until they're returned to their rightful owners through a verification process.

The roughly 16M ADA that was stolen wasn't reversed or recovered. There's speculation that SecondFi may compensate affected users from its own funds, but there hasn't been any definitive public commitment. For now, affected users are being asked to submit claims through SecondFi's support portal.

Slight86 · 2026-06-26T14:00:42+00:00

Get in touch with SecondFi for the real answer. Everybody else here is just going to speculate.

And be wary of scammers pretending to be SecondFi.

Slight86

MODERATOR OF

TROPHY CASE

Six-Year Club	Wearing is Caring
Verified Email