Articles on: Troubleshooting & FAQs

Security Incident Update

This article will be updated as our investigation progresses. Please check back regularly for the latest information.


⚠️ Important: Wait for Instructions before taking further actions


Independent actions taken outside of official guidance create additional risks, and may significantly complicate the asset claims process. Our team is working through a secure recovery process, and we will continue keeping users updated as progress is made. Official step-by-step instructions will follow shortly.


The only thing you should do right now is submit a ticket at support.secondfi.io.


We will never DM you first or ask for your recovery phrase. If you receive such a message, it is a scam.


Update - 9 pm SG Time 2nd July 2026


Hardware Wallet Migration Guide


We have published a step-by-step guide to help users securely move their assets to a new hardware wallet, the most secure option for self-custody.


Before you start, keep these in mind:

  • If you already use a hardware wallet, no action is required. Hardware wallet users were not affected by this incident.
  • Do not delete the SecondFi app, and keep your seed phrase safe. Either one will be required to claim your assets through the recovery process.
  • Stop using your existing wallet. Do not send, receive, sign, or stake from it.


The full step-by-step guide, including how to test with a small amount before moving your balance, is available here:

https://kb.secondfi.io/en/article/hardware-wallet-migration-guide-1dnm8is/ 


Important Security Reminder


SecondFi will NEVER request private keys, seed phrases, wallet credentials, or request asset transfers under any circumstances. We will never DM you first.


Any message instructing you to move assets or submit wallet information outside of our verified official channels should be treated as fraudulent. Our official channels are @secondfiapp, @secondfi_jp, and support.secondfi.io


For support, please submit a ticket only through our official support channel at: support.secondfi.io.



Update — 1:40 pm SG Time 2nd July 2026


SecondFi Security Incident: Recovery Progress Update


Dear Cardano Community,


Our teams continue to work around the clock alongside some of the smartest technical minds in the Cardano ecosystem to work on an onchain recovery process. Thanks to these efforts, tremendous progress has been made and a viable solution remains on-track. We are grateful for their support.


Alongside this, we are developing an onchain claims portal to facilitate the return of assets.


DO NOT delete the App and keep your seed phrase safe to more efficiently enable recovery. For now, submit a ticket at support.secondfi.io


Further Progress

Today, we released the official Asset Recovery Wallet Checker at checker.secondfi.io, so you may verify whether you are impacted. It will never ask you to sign a transaction. If any tool does, it is not ours and should be treated as fraudulent.


Our commitment remains unequivocal: to support the return of assets to all affected wallet holders across 4 distinct wallet draining events, in their original form.

Three of these events were executed by external threat actors, resulting in a loss of ~16M ADA. EMURGO has set up a recovery fund address to return assets to the victims of the attack.


You can find the address here:

addr1qyvvn9e9ulvzw2nvgkwraxwrla4a28l7gmduk7jru2rw9kdxkls8aczwgg8u44nj87uaq50rgcjulcxtzv9q8j0g2lss9kv2ss


Notably, assets recovered by white hats (including the 4th event) are accessible and safely held. These will be part of the recovery effort to return assets to affected users.


Commitment to Transparency

Independent auditors are currently reviewing our systems and validating our findings. We intend to share those reports once finalised. Premature releases may result in misinformation or tip off threat actors. We appreciate your patience.


WebX Tokyo

As a commitment to our user base, our team will be at WebX in Tokyo, to answer questions on how to migrate to other wallet platforms using hardware devices. Details to follow ahead of the event for those who wish to seek out this guidance and support.


Important Security Reminder

SecondFi will NEVER request private keys, seed phrases, wallet credentials, or wallet access. No recovery actions requiring user participation have begun. Any message instructing you to transfer assets or share wallet information outside our official channels should be treated as fraudulent. The only action required right now is to submit a ticket at support.secondfi.io.


Our Commitment

Trust at moments like this is built through action, not assurance. Every decision we're making has one objective: returning assets safely to every affected user, as soon as possible.


Thank you for your patience during this difficult time. @secondfiapp / @secondfi_jp remains the official channel for all updates.


Phillip


Update — 10:45 am SG Time 2nd July 2026


Recovery Process Update


Your assets remain safe. Our team's full focus is on recovery. Here is where things stand today:


How do I check if my wallet is affected?

The asset recovery wallet checker is now live: checker.secondfi.io


This is the only official checker, hosted on our secondfi.io domain and shared only through @secondfiapp / @secondfi_jp. It is prepared on a best-efforts basis. It will never ask you to sign a transaction. Any tool that does is a scam.


This is phase one. In phase two, the checker will show whether your wallet has been affected, alongside an air-gapped transfer option to move assets securely.


I am not affected, what are my options?

If you wish to migrate, we recommend moving your assets to a newly created wallet using a hardware wallet only. We will release clear, step-by-step migration instructions to guide you through this.


I am affected, what do I do?

We are working on an onchain recovery tool. For now, submit a ticket at support.secondfi.io and keep your app and seed phrase safe. Recovery instructions will only be released once the Intersect Security Council has completed its review.


How do I recover my assets?

Our teams are working with the smartest minds in Cardano, who have dropped everything to work on this incident, to develop an onchain claims portal. Which is now in preview mode and will be released soon.


Understanding what happened

Several auditors and independent experts are analysing onchain activity and validating our findings. Reports are coming, and we intend to share relevant reports once finalised. We cannot share findings before then, as doing so may cause further issues.


How do I make a claim?

If you want to make a claim, submit your ticket at support.secondfi.io.


Please remember:


DO


DON'T

  • Delete the SecondFi app
  • Share private keys, recovery phrases, or wallet credentials with anyone
  • Trust any checker, link, or account outside our official channels
  • Act on messages telling you to move assets or submit wallet information


SecondFi will NEVER request private keys, recovery phrases, or wallet credentials. No recovery actions requiring user participation have begun. @secondfiapp / @secondfi_jp remains the official channel for all updates.


Update — 2.15pm SGT 30th June 2026


IMPORTANT SECURITY REMINDER


These are the ONLY OFFICIAL SecondFi channels:

X accounts @secondfiapp and @secondfi_jp


Support portal: support.secondfi.io


We will never DM you first or ask for your recovery phrase.


Any other account is a scam account.


If you come across a fake account or suspicious message, please report it to X. The screenshots below show known impersonator accounts to watch out for.


Stay alert, and only trust updates from our official channels.





Update — 7.45pm SGT 29th June 2026


Recovery Process Update


Today, we want to share an update across three areas:

  1. Returning user assets
  2. Moving user assets safely
  3. Onchain recovery


1. Returning User Assets

  • Drained by the attackers: EMURGO has funded an Asset Recovery Wallet specifically to return assets to users whose wallets were compromised in the attack.
  • Secured through our emergency rescue response: These assets are currently protected and accessible. We are in discussion with IntersectMBO on the appropriate custody mechanism to ensure they are held securely and returned to users.


2. Moving Your Assets

Our initial guidance was to stay put which was a deliberate step while we worked to fully understand the attack vector and avoid exposing users to further risk. Following active discussions with the Intersect Security Council, should you decide to move your assets, we recommend creating a new wallet using a hardware wallet only. A hardware wallet is the most secure option available.


Important: However, users should NOT delete the SecondFi app under any circumstances. We strongly advise users to retain BOTH the app and their seed phrase, as they will be required to support the asset recovery process currently underway.


3. Onchain Recovery

Our team is actively progressing an on-chain recovery solution designed to support the secure return of user assets. Extensive technical assessment has identified this as the most secure and efficient recovery pathway currently available.


We are now working closely with a Cardano community-led task force to develop, validate and execute this solution securely.


This process is more complex than originally anticipated and may require additional time beyond our previously estimated 2-week timeline.


We will continue providing updates as progress continues.


Important Security Reminder:

SecondFi will NEVER request private keys, seed phrases, wallet credentials, or request asset transfers under any circumstances. We will never DM you first.


Any message instructing you to move assets or submit wallet information outside of our verified official channels should be treated as fraudulent. Our official channels are our verified SecondFi X account and support.secondfi.io.


For support, please submit a ticket only through our official support channel at support.secondfi.io.


Thank you for your continued trust as this work continues.



Update — 8am SGT 28th June 2026


⚠️ Important Security Update


We are seeing an increase in malicious activity and impersonation attempts related to the recent incident.


As a precaution, please DO NOT deposit any additional funds into your existing SecondFi wallet until further notice.


To help users safely navigate next steps, we will be releasing:


  1. A suitable mechanism to allow users to check whether their wallet has been affected by early next week.
  2. A secure process that will allow users to safely move assets out of the platform thereafter.


Please remember that NO recovery actions require user participation have begun at this stage. Wallets should remain untouched until official recovery instructions are provided.


SecondFi will NEVER request private keys, seed phrases, wallet credentials, or request asset transfers under any circumstances.


For support, please submit a ticket only through our official support channel at support.secondfi.io.


Thank you to everyone for your continued patience and trust as this work continues.



Update — 12.15pm SGT 27th June 2026


SecondFi Security Incident: Executing Recovery 

Over the past several days, our engineering and security teams have remained fully mobilized, operating continuously around the clock to secure the platform, complete forensic investigations, validate wallet balances, and establish the safest possible recovery pathway for affected users.


We confirm that this work has now led to a meaningful breakthrough. We have successfully identified a clear recovery solution, marking an important step forward in our efforts to return assets to users safely and securely.


What Happens Next

Our immediate focus now turns to execution. We are working toward an estimated two-week timeline: the coming week will be dedicated to building the solution itself, followed by a second week of testing and review before assets can begin being safely returned to users.


While we are moving with urgency, it is important to recognize that this process cannot be rushed.


For this reason, we want to reiterate and recommend once again: users should not independently migrate assets or take action outside of official SecondFi guidance. The recovery process currently underway is being designed around existing wallet states, and independent action at this stage may significantly complicate the secure return of assets.


Important Security Advisory

We understand that some users may feel compelled to move assets as a precautionary measure. However, should you choose to do so independently, you do so entirely at your own risk.


We also want to make the community aware that malicious actors are now attempting to exploit the current situation by circulating fraudulent communications impersonating SecondFi.


As a reminder, SecondFi will NEVER request private keys, seed phrases, wallet credentials, or direct wallet access under any circumstances. No recovery actions requiring user participation have begun at this stage. Any communication instructing users to transfer assets, submit wallet information, or take action outside of our verified official channels should be treated as fraudulent.


The only thing you should do, if you have yet to, is to submit a ticket at support.secondfi.io.


Our Commitment

We recognise that confidence and trust at moments like this is built not through assurances alone, but through disciplined execution. This is precisely what guides us now. Every action being taken right now is focused on returning assets safely and  protecting users.


I want to thank the broader Cardano community, our ecosystem partners, and users who have continued standing with us throughout this process. The support, coordination, and resilience shown across the ecosystem over the past week has only strengthened our resolve to see this through responsibly and successfully.


Again, x.com/secondfiapp remains the official channel for communications and we will continue to provide proactive updates every step of the way.


Thank you.


Phillip



Update — 11.15am SGT 27th June 2026


⚠️ Important Security Advisory: Scam Attempts


We have identified fraudulent messages circulating online from malicious actors attempting to impersonate SecondFi while our incident response remains underway.


Please note that NO recovery actions requiring user participation have begun at this time.


SecondFi will NEVER request private keys, seed phrases, wallet credentials, or direct wallet access under any circumstances.


Any communication instructing users to submit wallet information, migrate assets, or take immediate action outside of our verified official SecondFi channels should be considered fraudulent. NO user action is required at this stage.


You may submit a ticket through our official support channel at support.secondfi.io.


Our team is actively monitoring these malicious activities alongside our ongoing recovery progress, and we will continue sharing verified updates as progress continues.



Update — 7.45pm SGT 26th June 2026


Recovery Process Update


Our team remains focused on returning assets to affected users, and we are making strong progress on a structured recovery and verification process.


Two important updates today:


  1. The final balance snapshot has been taken today, Friday 26 June 2026. We have been capturing regular snapshots throughout the incident response, and this final one gives us an accurate, verified record of balances to work from as we prepare recovery.


  1. Timing of recovery. Behind the scenes, our engineering and security teams have worked around the clock to validate balances and evaluate recovery mechanisms. This has led to a solution where assets can begin being returned, which we estimate is around two weeks away: roughly one week to reach a working solution, then a week of testing and review. Timing may shift as the work continues but our priority is clear: a safe return of funds and getting SecondFi back online responsibly.


We will resume operations once we are fully confident the platform is secure and all security reviews are complete and we are determined to get there as quickly as we safely can.


For now, the only action required is to submit a support ticket at support.secondfi.io


We appreciate your continued patience as we work through this process responsibly and will continue sharing updates as progress is made.



Update — 4.30pm SGT 26th June 2026


Important Guidance for SecondFi Users


We understand that many users are considering migrating to new wallets, and that trusted members of the Cardano community are suggesting ways to do so. We recognise this comes from a desire to protect your assets. If you choose to migrate, you do so at your own risk.


However, we strongly advise against taking this action at this time. Particularly if you are not technical, the safest course is to leave it untouched.


Independent actions taken outside of official guidance create additional risks, and may significantly complicate the asset claims process. Our team is working through a secure recovery process, and we will continue keeping users updated as progress is made. Official step by step instructions will follow shortly.


If you have a query, you may submit a ticket at support.secondfi.io. We will never DM you first or ask for your recovery phrase.


Thank you for your patience.



Update — 10am SGT 26th June 2026


As stated, we have identified the root cause, it is at the address level. Please DO NOT RESTORE your recovery phrase into another Cardano wallet, this does not mitigate the security risk. The security risk occurs when an affected user signs a transaction.


In addition, we are working to facilitate the verification process so users can claim back their assets safely, following the above is very important, as it makes claims more difficult.


There has been conflicting advice from different community members in an attempt to be helpful. Do nothing until official steps come from SecondFi.


The only thing you should do is submit a ticket at support.secondfi.io.


We will never DM you first or ask for your recovery phrase.



Update — 6.35pm SGT 25th June 2026


We aim to provide the latest update on our investigation into the exploit


As mentioned in our previous post, between June 21–23, 2026, a sophisticated, automated attack drained funds from multiple Cardano wallets. We now have identified and isolated the addresses of 2 attackers.


We are sharing them below with the community, for full transparency.


Attacker A (Waves 1 & 2)

Drained 171 wallets across two automated batches.

  • Collection Wallet 1: addr1q9j7f598x988unr4zhjulft205jqnn9ewgwkhes5smf2sr6jsw98nm4qq38jw9epe587twavuhuhj5d8r92rjvmyjlzs9lqc3x
  • Collection Wallet 2: addr1q9wudkfeelzwev427yvapkmqexmet8q4vl303m7a4eerwtvt6rq00zyuqzeuw759vgqtdky0gyxnqx27n8q4k6h79yhsqelma8
  • Collection Wallet 3: addr1q82jlp2u0ezv2hsf6f40fkrv49hd72yv442nmrr5qeultpqamepaykp3m564hnd4zp75wxxds2j6d3ywvc8prhf2kcxqn6nql3
  • Central Fee/Change Address: addr1q8acx4h5a38x6ekpsp0x7aelw6mflt78khmz8lz75rtnqvn07w88zx2e89tgzqr3x0mecngqlg87kq9surhk48hj79mqcezfa8
  • Attacker Stake Key: Stake1u9hl8rn3r9vnj45pqpcn8auuf5q05rltqzcwpmm2nme0zasf40ymg


Attacker B (Wave 3)

Drained 203 wallets in a separate automated sweep.

  • Collection Wallet (⚠️ 4,020,468 ADA linked to the exploit remains in this address, which has been flagged and is under active monitoring and investigation): addr1q8m5wdncq7rwum73r5cyyr82qx2xjem5k4ehapl3wy36aaerj829vasl3amtcwshgvnn6a25dr850tfw6qaj420d2szsslkku6
  • Attacker Stake Key: Stake1uy3er4zkwc0c7a4u8gt5xfeaw42x3n6845hdqwe248k4gpgdq4da5



Update — 3.15pm SGT 25th June 2026


Message from Phillip Pon, CEO of EMURGO


Dear Cardano Community,


Over the past 72 hours, SecondFi – Cardano's largest wallet provider – was the target of a highly sophisticated, pre-meditated, and deliberate security incident.


Initial forensic evidence points to a coordinated, multi-actor exploit enterprise. While an advanced threat of this nature could target any participant within our ecosystem, we recognize that as a co-founding entity of Cardano, our responsibility in moments like this is held to a higher standard of accountability and action.


We remain fully committed to returning the assets of all affected wallet holders from the 4 distinct wallet draining events. Active rescue efforts are ongoing.


Here is where we stand:


Discovery, Patching, and Impact

Following the initial discovery on June 22nd, emergency response protocols were immediately activated to investigate the issue and protect user assets. Our engineering teams successfully isolated the exploit vector, deployed immediate remediation measures, and moved SecondFi into maintenance mode to prevent any further contagion while investigations continue.


We have since engaged a leading security firm, alongside additional independent security partners, to conduct a full review of the attack vector and ensure the integrity of our systems before normal operations resume.


Impact Assessment

Our investigation has confirmed that 374 wallet addresses were affected across three separate attack events, resulting in approximately 16 million ADA being compromised. This represented losses of approximately US$2.4 million.


In parallel, emergency rescue measures were immediately initiated and remain ongoing. Through these efforts, we have already successfully secured approximately 129 million ADA as part of our broader containment and asset protection response.


All recovered assets are currently being held securely while recovery efforts continue.


Recovery 

We have now completed the identification and mapping of wallet addresses impacted during the initial exploit, allowing us to begin the next phase of recovery with confidence and precision.


Our commitment remains unequivocal: to support the return of assets of all affected wallet addresses from the 4 distinct wallet draining events.


To support this process, a dedicated and independently secured restoration fund has already been established, forming the foundation of a transparent reimbursement process for affected users.


As part of recovery, we are working to facilitate the verification process so users can claim back their assets safely. While this process will require additional verification steps and may take longer, it is the most secure and responsible path to ensuring assets are returned safely and accurately.


We will continue updating affected users regularly as recovery efforts progress and as each stage of the claim process is completed.


Return to Operations

SecondFi will only resume normal operations once additional security reviews and independent audits have been completed. We have engaged external security firms to conduct a comprehensive review of the protocol at the code level, and we will not restore platform access until we are fully confident in the integrity and security of our systems.


Wallets impacted during this incident will remain subject to controlled recovery procedures, and affected users will receive clear guidance on the steps required to safely restore access and recover assets through our official recovery process.


In parallel, we will be submitting formal incident reports to the relevant authorities and pursuing every available legal avenue to recover lost assets and hold responsible parties accountable.


Critical Security Notice

Based on our investigation, wallets compromised during this incident should be treated as permanently compromised. The vulnerability exists at the address and private key level, which means simply importing or restoring an affected recovery phrase into another wallet provider will not resolve the security risk.


For this reason, affected users must not independently move assets, restore seed phrases, or attempt to migrate compromised wallets to another Cardano wallet application. Taking independent action may expose users to further compromise.


We will shortly provide a clear recovery process outlining how affected users can safely migrate and restore access through our official recovery procedures.


Ecosystem Solidarity

Moments like these serve as an important reminder that the long-term strength of any ecosystem is ultimately defined not only by its technology, but by the collective commitment of its community to protect and support one another when it matters most.


We want to recognize and thank the founding entities, partners, and community members who mobilized immediately to support our response efforts and help contain broader risk to the network.


Through real-time collaboration, intelligence sharing, and coordinated action, the wider ecosystem worked swiftly alongside us to strengthen our response and safeguard the broader stability of Cardano during a critical period. This incident has reflected the strength and resilience of the Cardano ecosystem at its best.

@secondfiapp remains the official channel for communications, and we will continue to provide proactive updates every step of the way.


Thank you.


Phillip



Update — 2.45pm SGT 25th June 2026


Technical Explanation of the Vulnerability


We have identified the root cause of the attack. It is at the address level.


The affected software signer used a deterministic nonce derivation flaw. Every time an address signed a transaction, it leaked enough information to mathematically reconstruct that address's private key from public blockchain data alone.


If you were affected by the hack, your first/default address (index 0) is almost certainly exposed. It is the address that some wallets may be using by default or as the only address at all, and nearly always has transactions. That history is all an attacker needs.


Please DO NOT RESTORE your recovery phrase into another Cardano wallet. This does not mitigate the security risk. 


Your keys are derived from your recovery phrase, not from the app. Restoring the same phrase into another wallet recreates identical addresses with identical exposure. The compromised thing is the key of the compromised address(es), not the interface you are using.


If you were affected by the hack, and use any of your compromised address(es) for deposit it might be drained again. This includes withdrawing staking rewards even using another wallet.


Reward withdrawal and delegation are signed with the stake credential. The withdrawn funds could be routed to your first/default address (as indicated above), which has a high chance of being compromised (wallets work differently managing it). Mempool-monitoring adversaries can front-run or sweep your assets on confirmation.


There has been conflicting advice from community members in an attempt to be helpful. Do nothing until official steps come from SecondFi.


We are working to facilitate the verification process so users can claim back their assets safely. Following the above is very important, as it makes claims more difficult.


The only thing you should do right now is submit a ticket at support.secondfi.io.


We will never DM you first or ask for your recovery phrase.



Update — 8.30pm SGT 24th June 2026


We have identified the root cause and have since rolled out a patch for all unaffected wallets. This will allow us to resume normal operations soon.


Regarding affected wallets, 4 distinct draining events occurred. 3 were executed by external threat actors, resulting in a loss of ~16m ADA across 374 addresses.


To prevent total loss during the active exploit, emergency rescue measures were triggered to secure the available ~129m ADA and continues to be routed to an independent, qualified third-party custodian, where they are held securely for the benefit of the affected wallet addresses.


An external accounting firm has been engaged for a special audit to independently verify those holdings.


We are working to facilitate the verification process so users can claim back their assets safely. Affected users should submit their claim at support.secondfi.io.


We take this incident seriously and are working to ensure all assets are returned to affected users as soon as possible.


As stated, we have identified the root cause, it is at the address level. Please DO NOT RESTORE your recovery phrase into another Cardano wallet, this does not mitigate the security risk. The security risk occurs when an affected user signs a transaction.



What happened?


We identified a security issue affecting a small number of Cardano wallets on our platform. The issue was confined to our native Cardano web wallet generation software. We have contained the issue and paused the affected functions while our engineering team works to restore full functionality.


What should I do right now?


At this time, no action is required from you other than submitting a claim at support.secondfi.io if your wallet was affected. Please keep the following in mind:


  • Do not restore your recovery phrase into a new Cardano wallet. This does not mitigate the security risk. The security risk occurs when an affected user signs a transaction.
  • Do not share your recovery phrase with anyone. SecondFi team members will never ask for it.
  • Ignore unsolicited messages. We are seeing a surge in scammers and impersonators taking advantage of this situation. SecondFi will never DM you first.
  • Use official channels only. All official support is handled through logged tickets at support.secondfi.io.


How do I know if a message is really from SecondFi?


SecondFi team members will never:

  • Send you a direct message first on any platform
  • Ask for your seed phrase or recovery phrase
  • Ask you to transfer funds to any address


All official communications come through our verified accounts and support portal at secondfi.io.


Where can I get the latest updates?



Our team is working around the clock and we are committed to keeping our community informed throughout this process. Thank you for your patience.


Updated on: 02/07/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!