Cardano Crypto News

SecondFi Plans 2-Week Recovery After Cardano Wallet Exploit

Secondfi Plans 2-Week Recovery After Cardano Wallet Exploit
Secondfi Plans 2-Week Recovery After Cardano Wallet Exploit

Cardano wallet provider SecondFi says it has built a recovery route for users impacted by a Tuesday exploit that exposed private keys for a portion of its customer base. In an update shared Saturday, SecondFi’s developer Emurgo indicated that asset returns should begin after completion of security testing and internal verification, with the first payouts expected in roughly two weeks.

The company’s CEO, Phillip Pon, said Emurgo finished forensic investigations and designed the process around SecondFi’s existing wallet states—an approach Pon warned users not to disrupt by moving funds independently or following instructions from unofficial sources.

Key takeaways

  • SecondFi/Emurgo completed forensics and mapped a recovery pathway for affected users after Tuesday’s Cardano wallet exploit.
  • Emurgo expects to start returning assets in about two weeks, after a week building the solution and a subsequent week of testing.
  • SecondFi previously linked the incident to an address-level problem in its Cardano web wallet generation software that exposed private keys.
  • The wallet provider says it is coordinating recovery without requiring user participation for key handling, and it is warning users about scams that may imitate official guidance.
  • SecondFi secured a portion of funds (reported as 129 million ADA) via emergency measures and moved them to an independent third-party custodian for verification.

Recovery plan targets affected users after forensics

According to a Saturday statement from Emurgo CEO Phillip Pon posted on X, SecondFi has reached the stage of producing a recovery solution after finishing forensic work and establishing a pathway intended to safely return assets.

Pon said the immediate focus is the construction phase over the coming week, followed by an additional week of testing and security review before withdrawals or refunds begin. While the company has not published a full technical explanation of the exploit mechanics, its plan is designed to restore user assets in a controlled manner rather than through ad hoc user action.

Crucially, Pon urged users not to migrate assets or take steps outside official instructions during the recovery period. He characterized the workflow as dependent on the wallet states already recorded at the time of the incident, warning that independent actions could complicate efforts to securely reconcile and return funds.

What the Tuesday breach involved

SecondFi disclosed the breach earlier in the week, stating that the incident affected approximately 16 million ADA across 374 addresses. At the time of disclosure, SecondFi estimated the value at about $2.4 million.

In its initial reporting, SecondFi attributed the underlying cause to an address-level issue within its Cardano web wallet generation software. The company said this issue resulted in private keys being exposed for affected users.

Beyond identifying the exposure, SecondFi also said it took emergency measures to secure about 129 million ADA. Those funds were reportedly transferred to an independent third-party custodian and will remain there until the verification and recovery process is fully complete. The separation between the custodied funds and the ongoing recovery workflow underscores the company’s emphasis on verification before any broad asset return.

Scam warnings while recovery is still underway

As SecondFi works toward the next steps of its recovery program, it says scammers are trying to take advantage of the situation. In a separate Saturday update, SecondFi warned that malicious actors have been circulating fraudulent messages impersonating the wallet during the recovery window.

The company said no recovery actions requiring user participation have started. It also reiterated that SecondFi will not ask users for private keys, seed phrases, wallet credentials, or direct wallet access.

SecondFi further cautioned that any message instructing users to submit sensitive wallet information, migrate assets, or act immediately outside of its verified communication channels should be treated as fraudulent. For users seeking help, the company advised submitting a ticket through its official support portal while the recovery process continues.

Why the “two-week” timeline and “no user action” rule matter

The most practical part of SecondFi’s update for impacted users is the operational timeline. By stating that building and testing will consume about two weeks in total before asset returns begin, Emurgo is effectively communicating that this is not a one-day rollback or an instant unlock—rather, it is a staged process with security reviews intended to reduce the risk of further loss.

Just as important is the instruction to avoid migrating funds on one’s own. For wallet incidents, independent user actions can sometimes reduce the amount of verifiable data available to an operator or complicate address-level reconciliation. SecondFi’s stated approach—designing recovery around “existing wallet states”—signals that its engineers are working from a known set of conditions and that changing balances or moving assets independently could create mismatches between what is stored in the wallet records and what needs to be restored.

At the same time, the company’s scam warnings highlight the danger of acting on unofficial guidance. If users were to follow instructions from imposters—especially those asking for seed phrases or direct access—the consequences could compound the original exploit. SecondFi’s emphasis on never requesting private keys or credentials is therefore central to the security posture during recovery.

Still, some key uncertainties remain for the broader community. SecondFi has not published a comprehensive post-mortem that details the full vulnerability or how attackers executed the exploit. Until more technical information is shared, investors and users will likely focus on whether the scheduled testing and review periods end on time and whether asset returns proceed smoothly for all affected addresses.

For users affected by the Tuesday incident, the next watch points are whether SecondFi begins asset returns on the expected schedule and whether the company continues to provide clear, verified updates while discouraging any off-platform recovery attempts. For the wider ecosystem, the incident also serves as a reminder of how web wallet key-generation and address-level logic can become high-risk components—and why disciplined verification during recovery can be as important as the initial patch.

Risk & affiliate notice: Crypto assets are volatile and capital is at risk. This article may contain affiliate links. Read full disclosure

The Crypto Breaking News editorial team curates the latest news, updates, and insights from the global cryptocurrency and blockchain industry.

Related Posts