The multichain wallet Ctrl, according to Ctrl’s own notice, will be permanently shut down, giving users until August 3, 2026 to move assets before most features go dark.
Key Takeaways
- Ctrl Wallet, formerly XDEFI and founded in 2020, is closing permanently with no token migration, airdrop, or refund program.
- The wallet was removed from the App Store, Play Store, and browser extension stores this week, though installed apps keep working until the shutdown.
- Users have two options before August 3: export the recovery phrase into another wallet, or transfer assets directly to another wallet or exchange.
- The closure lands the same week its Cardano wallet SecondFi will not resume normal operations after a 374-address, roughly $2.4 million exploit.
- Ctrl Wallet supports over 2,500 blockchains, including Cardano, putting two prominent Cardano-ecosystem wallets, Ctrl and SecondFi, in wind-down mode within days of each other.
What Happened?
Ctrl Wallet’s shutdown notice gives no reason for the closure and does not reference any security incident. Ctrl Wallet was removed from the App Store, Play Store, and browser extension stores, and is no longer available for new downloads, though already-installed apps continue functioning normally until August 2.
From the deadline onward, all wallet features will be disabled except recovery-phrase export. Ctrl’s recommended path is exporting the 12 or 24 word recovery phrase into a compatible wallet such as MetaMask, Trust Wallet, or Phantom. The alternative is moving assets to another wallet or a centralized exchange such as Binance or Coinbase before the cutoff.
Ctrl was explicit that no compensation is coming.
The company warned that any “Ctrl Wallet Migration Airdrop” or refund-claim site asking users to connect a wallet is a scam, and said it will never ask for a user’s recovery phrase.
Ctrl Wallet is shutting down.
β Ctrl Wallet β (@Ctrl_Wallet) July 7, 2026
Starting 3 August 2026, sending, receiving, swapping and dApp connections within the app will no longer be available.
The one thing you’ll still be able to do is export your recovery phrase.
Here’s what you need to know. π§΅
1/3
The Cardano Wallet Ecosystem’s Rough Week
Ctrl’s shutdown arrives days after EMURGO, a co-founding entity of Cardano, confirmed that its wallet SecondFi would not return to service even once security audits finish. Although we believe unaffected users remain safe, SecondFi will not resume normal operations, EMURGO CEO Phillip Pon wrote, adding that the company’s role is now limited to a dedicated asset-recovery team.
The SecondFi breach traces to a sophisticated automated attack discovered on June 22 that compromised 374 wallet addresses across four distinct draining events, three of them carried out by external threat actors. EMURGO put the loss at approximately 16 million ADA, worth roughly $2.4 million at the time. Emergency responders secured about 129 million ADA, routed to an independent third-party custodian pending an external accounting audit.
The root cause was a coding flaw, not a phishing attack. EMURGO said the affected signer used a deterministic nonce derivation flaw that leaked enough data with every signed transaction to mathematically reconstruct a wallet’s private key from public blockchain data alone.
EMURGO is now building a quarantined wallet-check site, a secure wallet-export tool, and an in-person migration workshop in Tokyo. Critically, the company warned that restoring an affected recovery phrase into another Cardano wallet does not remove the risk. The compromised keys stay exposed regardless of which app holds them, a caution worth heeding whenever a provider reports a key-level defect.
Two Wallets, Two Very Different User Outcomes
Both Ctrl and SecondFi are non-custodial wallets, meaning neither company ever controlled user funds. That structure is why Ctrl can walk away without a refund program: it has nothing of the user’s to return. The two firms’ wind-downs, arriving in the same week, land very differently for the people affected.
Ctrl’s users lose nothing to a defect. They have a deadline to migrate self-custodied assets a provider chose to stop supporting, and the company owes them nothing beyond the export tool it already built.
EMURGO also went further than Ctrl on accountability, saying it will be submitting formal incident reports to the relevant authorities and pursuing every available legal avenue to recover lost assets and hold responsible parties accountable. What recourse the 374 affected wallet holders actually have, and who counts as a “responsible party” in an architecture designed to keep the provider outside the custody chain, remains the open legal question EMURGO’s statement raises but does not answer.
Ctrl Wallet Shutdown Timeline
| Window | Milestone |
|---|---|
| Now through August 2 | Full functionality: send, receive, swap, dApp access, and recovery-phrase export all work normally |
| This week | Removed from App Store, Play Store, and browser extension stores; no longer available for new download |
| From August 3 onward | All features disabled except opening the app to export the recovery phrase |
A hard deadline plus mass forced migration is a predictable phishing setup, and both companies are already fighting it. Ctrl flagged fake migration airdrop and refund claim sites. SecondFi has spent weeks documenting fraudulent support emails and fake websites impersonating the company. Anyone migrating between wallets mid-deadline should verify instructions only through each provider’s official channel, never a link shared in a message.
CoinLaw’s Takeaway
Ctrl Wallet’s closure is a routine, if abrupt, product wind-down: a non-custodial provider owes users an export path, not a refund, and it delivered exactly that with a five-week runway. What makes the timing notable is the company it’s keeping.
In the same week, Cardano’s largest wallet provider confirmed its own software defect permanently compromised 374 user addresses, and responded with a voluntary recovery fund plus a pledge to pursue “every available legal avenue” against responsible parties. The gap is instructive for anyone still parsing what “not your keys, not your coins” actually promises.