You Build. We Defend. Since 2014 protecting critical decentralized systems: L1 nodes, smart contracts audits, wallets, web3 dApps, exchanges, bridges.

Millions have been stolen from weak crypto wallet recovery phrases without public attribution. Big sweeps into single addresses and laundering patterns get detected and reported. Slow, stealthy drains usually do not. Proving the cause requires victims reports, experts, vulnerable wallet versions, bug discovery and reproduction. That has only happened in a few cases, like Milk Sad: milksad.info/
1
6
320
Wallet app patches don't fix weak recovery phrases created years ago. Past attacks covered major chains, English 12-word phrases, and limited derivation paths. AI now makes the long tail searchable by more attackers. Ecosystems need to find and warn at-risk users and help them migrate funds.
1
6
381
Coinspect Security retweeted
If you own a large balance or important access controls on an address generated by a less widely used wallet, rotate your keys, or reach out to @coinspect
To wallet developers: We are investigating weak seed generation associated with a wallet supporting EVM, Bitcoin, and other chains since 2018. Evidence points to a JavaScript/React Native/Expo mobile wallet. It does not appear to be a widely used wallet, based on observed scale, but users could still be at risk. If your wallet matches this description, please contact us.
3
18
2,665
When Wallet Cryptography Fails: • Watch for official security notifications • Treat suspected key compromise as seed-level risk • Review every chain tied to the same recovery phrase • Don't reuse or reimport a risky seed • Generate a brand-new wallet and migrate carefully • For large/multi-chain balances, seek expert help before moving funds
227
If a hardware wallet is not practical for your use case, choose a well-known software wallet with a strong security track record, such as wallets with high scores in our Wallet Security Ranking.
Use a hardware wallet when possible. Not perfect: blind signing and firmware risk still exist. But constrained hardware keeps whole layers of fragile software complexity away from your keys.
1
240
Coinspect Security retweeted
🛡 Recovery Process Update Today, we want to share an update across three areas: ⚙️ Returning user assets ⚙️ Moving user assets safely ⚙️ Onchain recovery 1. Returning User Assets - Drained by the attackers: @emurgo_io has funded an Asset Recovery Wallet specifically to return assets to users whose wallets were compromised in the attack. - Secured through our emergency rescue response: These assets are currently protected and accessible. We are in discussion with @IntersectMBO on the appropriate custody mechanism to ensure they are held securely and returned to users. 2. Moving Your Assets Our initial guidance was to stay put which was a deliberate step while we worked to fully understand the attack vector and avoid exposing users to further risk. Following active discussions with the Intersect Security Council, should you decide to move your assets, we recommend creating a new wallet using a hardware wallet only. A hardware wallet is the most secure option available. Important: However, users should NOT delete the SecondFi app under any circumstances. We strongly advise users to retain BOTH the app and their seed phrase, as they will be required to support the asset recovery process currently underway. 3. Onchain Recovery Our team is actively progressing an on-chain recovery solution designed to support the secure return of user assets. Extensive technical assessment has identified this as the most secure and efficient recovery pathway currently available. We are now working closely with a Cardano community-led task force to develop, validate and execute this solution securely. This process is more complex than originally anticipated and may require additional time beyond our previously estimated 2-week timeline. We will continue providing updates as progress continues. Important Security Reminder: SecondFi will NEVER request private keys, seed phrases, wallet credentials, or request asset transfers under any circumstances. We will never DM you first. Any message instructing you to move assets or submit wallet information outside of our verified official channels should be treated as fraudulent. Our official channels are our verified SecondFi X account and support.secondfi.io. For support, please submit a ticket only through our official support channel at: support.secondfi.io Thank you for your continued trust as this work continues.
40
38
143
31,978
Use a hardware wallet when possible. Not perfect: blind signing and firmware risk still exist. But constrained hardware keeps whole layers of fragile software complexity away from your keys.
1
7
829
We haven't integrated the latest round of testing results yet because we decided to highlight address poisoning protection. WSR methodology prioritizes attacks that cause users to lose funds. We're not adding new checklist items or changing weights. Instead, we're updating the testing process for the existing "Unknown address detection" check, which now checks whether wallets warn users about unknown recipients and lookalike addresses. All methodology details are public in our GitHub repo.
Wallet Security Ranking testing round completed. To avoid delaying updates, we'll publish browser extension results first. The data is already available in our public repo and will be merged after final checks before going live on our website.
3
494
Polymarket was reportedly compromised via a third-party frontend JS dependency. That’s exactly the attack vector we built this free tool to track years ago: dependencies in Web3 frontends. We predicted the tool would have basically zero users. We were right!
2
5
13
3,416
Supply chain attacks on dApp frontends are becoming more common. Coinspect's dApp Observatory scans thousands of Web3 frontends and tracks their third-party JavaScript dependencies Check it out → coinspect.com/dapps/ (slow load, use the search tool)
This morning we discovered a 3rd party vendor had been compromised, injecting a malicious script into our frontend for some users. We've contained it & removed the affected dependency. We're contacting impacted users & refunding them in full.
1
3
710
Response after discovery: fast action, ownership, and clear communication. The postmortem needs to explain how vulnerable custom cryptographic code reached production. Overall, the response set a higher bar than we usually see in incidents like this.
1
4
355
Using public blockchain data we identified the root cause of the Cardano ADA wallet drain affecting SecondFi (@secondfiapp) users. We confirm this was not a classic broken PRNG issue, but a flaw in the signing process that exposed affected private keys. The recommendations from our latest post still fully apply: • Follow SecondFi’s official channels and support ticket system. • Updating the app or re-importing the same seed/private key into another wallet does not make affected keys safe. Detailed recommendations are in the linked post.
6
14
36
23,371
More wallet drains are being reported that may trace back to weak wallet generation. ⚠️ React Native / Expo wallet devs: do not assume current code proves old wallets were safely generated. Check historical builds and any “secure random unavailable” fixes.
React Native / Expo crypto wallet devs: If your app generates wallets since 2018, check the RNG. Worst case: 2018-2022 "Secure random unavailable" You fixed the crash and shipped. But the key bits were not coming from the native CSPRNG. Review history, lockfiles, imports.
2
441
Coinspect Security retweeted
There has been conflicting advice from different community members in an attempt to be helpful. ⚠️ DO NOT RESTORE your recovery phrase into a new Cardano wallet. As advised, do nothing until official steps come from SecondFi. The only thing you should do is submit a ticket at support.secondfi.io. We will never DM you first or ask for your recovery phrase.
61
59
121
89,709
Coinspect Security retweeted
To provide more clarity, we have identified the nature of the incident, it is at the address level. The security risk affects wallet users when a transaction is signed. Therefore recovery to another platform or wallet does not mitigate the risk. 🚨 DO NOT restore your recovery phrase into a new Cardano wallet. We have isolated the affected wallets and will post mitigation steps shortly.
There has been conflicting advice from different community members in an attempt to be helpful. ⚠️ DO NOT RESTORE your recovery phrase into a new Cardano wallet. As advised, do nothing until official steps come from SecondFi. The only thing you should do is submit a ticket at support.secondfi.io. We will never DM you first or ask for your recovery phrase.
85
70
172
125,296
Weak randomness does not just put one account or address at risk. It makes every recovery phrase generated through the affected process searchable by attackers. A weak seed stays weak forever. Preliminary notes from our ongoing research: coinspect.com/blog/weak-wall…
1
4
7
734