Efforts are underway to address the vulnerability of private keys, though progress varies, according to Wish Wu, CEO of Pharos.
By Omkar Godbole|Edited by Jamie Crawley Jun 29, 2026, 3:45 p.m. 5 min readMake preferred on ShareShare this articleCopy linkX (Twitter)LinkedInFacebookEmailMake preferred on SummaryShow- Crypto hacks have resulted in losses totaling approximately $16.69 billion, with around 40% attributed to compromised private keys rather than issues with blockchain or smart contracts.
- Experts highlight that most losses stem from failures in key management and operational security, not from the technology itself.
- The industry is moving towards solutions like multi-party computation and improved security practices to mitigate the risks associated with single private keys.
Reports of significant losses from crypto hacks have become commonplace, often overshadowed by the frequency of these incidents.
While hacking poses serious risks in the tech sector, the root cause of these breaches in crypto is not the technology itself, but rather the exposed "private key."
According to data from DeFiLlama, the total losses from hacks, exploits in DeFi, and bridge attacks in the crypto space have reached $16.69 billion, with 40% of this amount linked to the theft of private keys rather than vulnerabilities in blockchain technology or smart contracts.
Private keys function similarly to passwords. In traditional banking, the systems that manage and store funds are rarely compromised directly; instead, it is the passwords that are leaked, allowing unauthorized access to significant amounts of money. This parallels how blockchain technology and smart contracts have remained largely secure, while private keys continue to be the points of failure.
CertiK, a leading firm in blockchain security, noted, "Operational security incidents are increasing, while smart contract exploits are declining, indicating that hackers usually target the most vulnerable points. As projects concentrate their security resources on smart contracts, other essential areas remain unprotected."
Crypto hacks: Total hacked by technique. (DeFiLlama)Mechanisms of the Hacks
Each crypto wallet consists of two key identifiers: one public, akin to a bank account number, shared for receiving funds, and the other private, resembling a password that verifies ownership and allows spending.
However, complications arise when a user loses their private key, as there is no equivalent of a banking reset option, no private banker to assist in fund recovery, and no fraud department to investigate claims. The individual who possesses the private key controls the funds, independent of the underlying technology.
Hacks targeting private keys generally fall into two categories: brute-force attacks, where hackers attempt to guess the private key, and unknown methods, where the private key is exposed without clarity on how it occurred.
These two methods represent about 40% of all crypto hack losses, emphasizing that many breaches are due to factors external to blockchain technology.
Le Fan, the CEO of ZK Proof Layer Cysic, remarked, "Private key hacks are not a failure of cryptography—they stem from inadequate key management, a mislabeling issue in the industry. The underlying mathematics is unbreakable."
Moreover, the risks associated with private keys resemble those of passwords. If a password is created and remains unused or unwritten, the likelihood of theft is minimal. However, once a password is entered or recorded, the risk of it being compromised increases significantly.
This principle also applies to private keys. Once they are utilized, stored, or shared, the potential for loss or theft escalates.
Fan explained, "The challenge lies in that an operational key must be active to be useful, residing within a live service surrounded by secret stores, dependencies, and human factors, which are often the points of breach."
In essence, a private key used for signing transactions is stored on a server alongside cloud credentials, software dependencies, and the personnel managing these elements. This complex environment is where vulnerabilities frequently arise.
Wu, co-founder and CEO of Pharos, attributes this issue to the initial design of blockchain systems.
"Most blockchain infrastructures were initially created for a single-user, single-key approach, where one private key controls all assets. If that key is lost or stolen, all assets are instantly at risk. This runs counter to the security principles established in traditional finance, which emphasize multiple approvals, separation of duties, and several layers of defense," Wu explained.
In some respects, the very system designed to innovate global finance possesses weaker security than a standard email account.
Wu also noted that the avenues for potential attacks have expanded significantly. "Cloud systems, third-party tools, social media accounts, and the personnel operating them can all serve as entry points for attackers."
Both Wu and Fan pointed to the Bybit hack of February 2025 as a case illustrating the increasing complexity of attack surfaces. Hackers exploited vulnerabilities in the software supply chain of a third-party developer tool, allowing them to insert malicious code into the wallet's web interface and deceive executives into inadvertently authorizing the transfer of $1.5 billion in Ethereum.
Proposed Solutions
The industry is progressing towards addressing the vulnerabilities associated with private keys, but this progress is not uniform, as noted by Wu.
"There are advancements in various areas: MPC [multi-party computation] wallets, account abstraction with social recovery, passkey-based logins, hardware wallet enforcement, and robust key management SOPs," he stated. "The challenge is that these are frequently added as optional features rather than being integrated from the onset at the protocol level. Most chains still view security as an add-on rather than a foundational design element."
This aligns with Fan's perspective on the necessary fix: eliminating reliance on a single key altogether.
Multi-party computation (MPC) and threshold signing divide the signing process, ensuring that the complete key is never stored in one location at any time, leaving no single target for attackers.
Account abstraction allows users to treat smart contracts as their accounts and implement their own rules, incorporating features like spending limits, approved address lists, and backup guardians within the wallet, so even if a signer is compromised, they cannot deplete the account independently.
"The path forward requires the industry to adopt a continuous, daily approach to security, rather than treating it as a one-time audit," Wu emphasized.
"This involves embedding security throughout the entire lifecycle—development, deployment, and operations. It necessitates recognizing that the human element, including security culture, awareness, and training, often represents the first and most vulnerable line of defense," Wu added.