Security firm SlowMist estimates that losses from the SecondFi exploit may exceed $20 million, a figure several times larger than what the Cardano wallet platform disclosed when the incident first surfaced. The updated estimate was reported early on June 24, 2026, roughly a day after SecondFi confirmed a breach and paused its services.
A $2.4 million disclosure that keeps growing
SecondFi went public with the incident on June 23, 2026, saying about 16 million ADA had been drained, worth roughly $2.4 million at the time it reported the figure. That implies an ADA price near $0.15 by the platform's own valuation. On-chain trackers counted around 178 affected wallets, with some community tallies putting the ADA loss closer to 12 million, alongside an unclear mix of native tokens and NFTs.
SlowMist's $20 million estimate sits well above that initial number. The two figures are not directly comparable: the early disclosure focused on ADA, while a full accounting has to price every token and NFT pulled from the compromised wallets, and the count of affected addresses can rise as analysts trace funds. For now the gap stands as an open conflict between the platform's first statement and an external security firm's wider read. Anyone following the story should treat the loss as a range, from the confirmed $2.4 million in ADA up toward SlowMist's $20 million-plus, rather than a settled number.
The breach landed in a soft market. As of June 24, 2026, Bitcoin traded near $63,013, down 1.7% on the day, with Ether around $1,676, off 3.2%, and the Fear and Greed index at 20, in "Fear" territory. A drained wallet feels heavier when the assets inside it are already falling.
The flaw sat in wallet generation, not the chain
SecondFi said the problem was confined to its native Cardano web wallet generation software. In plain terms, the code that created wallets for users produced keys that were not safe. Blink Labs, a Cardano developer, warned that wallets generated through the affected flow should be treated as compromised. If the generation process is predictable or leaks entropy, an attacker can reconstruct the private keys without ever phishing the user.
This is not a bug in Cardano's protocol or in ADA itself. The ledger worked as designed; it dutifully recorded transfers signed with keys the attacker could derive. The single point of failure was the tooling one company used to mint those keys. SecondFi has not published the full technical mechanism, and community members have pressed for clarity on whether mobile apps, the browser extension, or the transaction-signing path were involved. Until that detail lands, the safest assumption for affected users is that any wallet created through SecondFi's web flow is exposed.
Self-custody only works when key generation is trustworthy
SecondFi markets itself as a self-custody platform, the kind where users hold their own keys rather than handing assets to an exchange. That model removes the counterparty risk that sank custodial failures like FTX. It does not remove every risk. A self-custody wallet is only as strong as the software that generates and stores its keys, and here that software was the weak link.
The lesson carries beyond one wallet. Anyone choosing self-custody options, whether a standalone wallet or a crypto card that spends straight from a personal wallet, is trusting the provider's key handling, even when no third party ever holds the balance. "Your keys, your coins" assumes the keys were generated cleanly in the first place. When the generator is flawed, control over the seed phrase offers no protection, because the attacker can arrive at the same seed independently. Open-source, audited key generation and hardware-based signing exist precisely to close that gap.
Cardano's core teams step in
SecondFi disabled front-end access, entered maintenance mode, and took a snapshot of balances as a reference point for any future remediation. The company said it coordinated with ecosystem partners including Input Output and the Cardano Foundation, completed an on-chain analysis, and began an independent technical review with an outside security firm. It also warned users about a wave of follow-on scams, repeating that its staff will never ask for a seed phrase or private key.
Compensation remains the open question. SecondFi has said details will follow but committed to no specific plan, amount, or timeline. With SlowMist's estimate now pointing past $20 million, the size of any make-whole effort, and whether the platform can fund it, will decide how this ends for the affected wallet holders.
Overview
A Cardano wallet platform that pitched self-custody lost user funds because the keys it generated were not secure. The confirmed damage started at 16 million ADA, about $2.4 million, and SlowMist now estimates the full total across ADA, tokens, and NFTs could exceed $20 million. The chain held; the wallet software did not. For the roughly 178 wallets involved, the next concrete signal is SecondFi's compensation plan, which the company has promised but not yet detailed.
