Hi, this is Charles Hoskinson broadcasting live from warm, sunny Colorado. Always warm, always sunny, sometimes Colorado. Today is June 23rd, 2026. I was hoping to talk about LEOS, but Cardano is going to Cardano.
It has come to my attention that one of the products of a founding entity, in this case, Second 5 from EMURGO, seems to have had some issues. I’m going to read off some of the tweets they have posted. This was posted today at 5:21 a.m. our time in Colorado, and it's from Second 5. It says, "Root cause and blast radius confirmed. We have isolated the root cause of the recent security incident. The issue was confined to our native Cardano web wallet generation software. Our team has completed on-chain analysis to determine the scope of impact, and we are now finalizing an independent technical review with a leading blockchain security firm to validate our findings. At this stage, our current estimate of the total impact is approximately 16 million ADA. We are continuing to work through operational response and remain committed to supporting affected users in our community. Take this incident seriously. The platform remains in secure maintenance mode, and we've taken a full snapshot of balances as part of our response, which is being handled as a coordinated effort. We're working closely with the core pillars of our ecosystem by collaborating with industry leaders."
So, that’s the PR side. We have a small team at Input Output that does incident response and disaster response. Jerry Moroney leads it; he handles all of our special projects. He has been in contact with Phil since yesterday. We’ll leave it to EMURGO to make forward announcements on this, but it does look like there has been some form of hack with Second 5, resulting in the loss of user funds. How much is hard to say, and what we've requested on the Input Output side is an independent audit, as well as some independent security audits.
More broadly, the challenge with wallet software is that it works perfectly until it doesn't, and then something comes up. It can be an unexplained anomaly, an insider threat, or a hack, and then funds get lost. The challenge is that it's not clear how to resolve that. In the legacy world, we have something called insurance to address these types of issues. When bad things happen, like your house burns down or your car gets damaged, you have insurance to cover the downside of the situation. Here in crypto land, it's buyer beware.
Incidents like this have three phases, but as an ecosystem, we should have a discussion about how to add a fourth step. The first step is obviously the triage of the situation. I talked to Phil this morning and yesterday. I think he's been up for 41 hours straight, and that team is going through a tough time right now. They are just trying to triage and contain the situation, and from what they've told us, they have that under control.
After the initial triage is done, there needs to be a transparency step involving a full enumeration of what happened, why it happened, what went wrong, and the remedies for the situation. The remedies must be executed, and audited by trusted external third parties to verify that those remedies have been implemented. More broadly, as an ecosystem, the fourth step is that for a Cardano wallet to hold your money, we really have to aspire toward a certification of a core Cardano wallet. We need to start working together as an ecosystem to achieve that. This will help prevent bad code, malicious code, and many common attack vectors from existing.
In an age of mythic AI, you saw the recent statements from the US government where all of our clearance systems were compromised within just a matter of hours due to these emergent AI models. It's quite straightforward now what an attacker does. They use an uncensored frontier model, say, "Hey, attack this thing and find a backdoor." It crunches for a few hours and then finds some very arcane, exotic attack vector that normally you'd have to be a turbo black hat to discover, and then they're able to penetrate infrastructure. Insider threats are exacerbated because AI can help an insider navigate how to embed something to exploit later on. This is very common in wallet teams. We even had someone from North Korea try to apply to work for us on the Lace team, and we caught him. This has happened to Kraken, Coinbase, and others; sometimes they catch them, and sometimes they don't. They can create grievous and catastrophic harm.
So, in general, the fourth step is that we need a certification program that can survive the perils of AI. It would also be beneficial to start discussing insurance products so that people who use wallets can contribute to some form of collective fund. In the event that something happens, it would be there to create a remedy. It's up to EMURGO to decide what they will do about lost funds. Input Output has no ownership or connection to that, and we will not advise them one way or the other. Obviously, we are here to support and help where we can. Our infosec team and technology team are available to assist with forensics if requested, but ultimately, it's their decision what to do.
This is not the only wallet hack that has occurred in our industry's history, and more will come. We have to separate the EMURGO response from the ecosystem response. The ecosystem response should focus on increased vigilance for building wallets, certification of wallets, understanding the threat vectors, and recovery models in the event of attacks. We should also aim to create products that allow for downside protection when these incidents occur, as I believe this will be the competitive differentiator moving forward.
At Input Output, we always err on the side of transparency. After phase one is done and the initial triage is complete, we will request full transparency from EMURGO in these matters, including audit reports and external entities to publish their findings on what went wrong and why. We would also like to see a remedy, with independent validation that it has been achieved. That’s always what you look for in these types of situations.
I'm sorry that they are going through this. I'm sorry the ecosystem is going through this. It doesn't seem to be a huge amount of ADA, but that brings no solace to the people who have lost funds because for them, that's all their ADA or at least a significant amount of it, and it hurts them whenever they lose anything. This is the unfortunate reality of crypto. I've been in the industry for 15 years. I have fond memories of Mt. Gox and many hacks throughout the years. The largest incident on Cardano was the Nomad hack, which was about a 20 or 30 million dollar loss. I personally lost some money in that hack because we had stable coins through the Nomad bridge on Ethereum. We were able to recover most of it, but that’s just the reality of these things.
One of the reasons we built Midnight was to introduce more sophisticated cryptography to enhance user protection. Midnight Passport and the existence of zero-knowledge proofs provide us with more secure places to conduct transactions. We are exploring delegated authority through agents via the OWS standard to create better ways of interacting with cryptocurrencies that are fundamentally more secure. In that fourth bucket of what we do after the particulars have been resolved with EMURGO, I believe innovation can help us tremendously. The first generation of Midnight Passport should be available sometime this year, and a lot of advanced cryptography is going into Midnight. Our hope is to incorporate that into the wallet space in addition to using it for agentic trading and other emerging fields. We hope it can be part of the certification stack for Cardano wallets to prevent these types of incidents in the future.
That’s all Input Output can say. We remind the internet, because sometimes they have trouble with this, that we are not EMURGO. We have no ownership, control, or influence over it. We do not run the day-to-day operations, and Second 5 is not an Input Output product. We cannot speak for it or have any influence over it. We did not write the code, and we're not connected to it. While we want our partner companies to be successful, and we have known EMURGO since the beginning, we cannot offer any remedy in this situation to the people affected and will not take any accountability for it because there is none to be had. We had nothing to do with these issues.
I've been tagged many times, and people are asking, "What are we going to do?" It’s not our place or role to do this. We can just offer a helping hand and provide advice and suggestions about how an appropriate cleanup will be done and what our red lines are in our relationships with companies. For anyone we work with in the future, if they have an outstanding claim, we would ask them to address that and make it right for people. We have done this numerous times in the past.
As we leave phase one and the immediate concerns are resolved, there’s a long road to redemption and rebuilding trust. Part of that must include independent trusted third parties publishing reports on what happened, why it happened, and how the company plans to create a remedy for the situation. That’s all we can say about that. Of course, we are not lost on the fact that we should check our own security. There’s nothing wrong with any of our products that we’re aware of, but we are already conducting an internal review and will likely conduct another audit on Lace and other infrastructure just to double-check everything in the age of AI. It’s hard to know if everything's completely secure, but we think we’re okay. We will definitely double-check and ensure that we haven't missed anything, including every part of our infrastructure.
Thank you all for listening. This will be the last public statement I make, and then we will share our future statements through the Input Output channel. We will leave it to EMURGO for all remaining PR. Thanks, everyone.