$16B in Crypto Hacks: Industry Shifts Focus to Private Key Protection

Here’s a tighter, more fluid rewrite with a clean, professional news tone:

The crypto industry is beginning to address vulnerabilities tied to private keys, though progress is uneven, according to Pharos co-founder and CEO Wish Wu.

Despite frequent multimillion-dollar hacks, the issue is rarely the blockchain itself. Instead, compromised private keys account for a significant share of breaches.

Data from DeFiLlama shows the sector has lost $16.69 billion to hacks, DeFi exploits, and bridge attacks, with roughly 40% linked to private key exposure rather than smart contract flaws.

Private keys operate like passwords. While blockchain infrastructure has largely proven resilient, attackers continue to exploit weak key management to access funds.

According to CertiK, smart contract exploits are declining, but operational security incidents are rising as attackers shift to easier targets.

Crypto wallets use a public key to receive funds and a private key to authorize transactions. Unlike traditional systems, there is no recovery option—control of the key means full control of the assets.

Most private key breaches stem from brute-force attempts or unexplained leaks, together making up a substantial portion of total losses.

Cysic CEO Leo Fan said these incidents reflect failures in key management rather than cryptography, which remains fundamentally secure.

The risk increases once keys are actively used or stored. Because they must remain “hot” to function, they exist within live systems exposed to cloud infrastructure, software dependencies, and human interaction—common points of failure.

Wu noted that early blockchain systems relied on a single-key model, where one compromised key can result in total loss. This contrasts with traditional finance, which uses layered approvals and shared control.

He also pointed to a growing attack surface, including cloud systems, third-party tools, social media, and human operators.

The February 2025 Bybit hack highlighted these risks. Attackers compromised a third-party software supply chain, injected malicious code, and tricked executives into approving transactions that led to a $1.5 billion Ethereum loss.

To mitigate these risks, the industry is adopting solutions such as multi-party computation (MPC), account abstraction, passkeys, hardware wallets, and improved operational practices. However, these safeguards are often added as optional features rather than built into protocols.

Fan pointed to a shift toward distributed key control, with MPC and threshold signing reducing reliance on a single key.

Account abstraction adds further protections, including spending limits and recovery mechanisms, helping prevent total loss even if one signer is compromised.

Wu emphasized that security must be treated as an ongoing process across development and operations, noting that human factors—awareness, training, and culture—remain one of the weakest links.

Let me know if you’d like an ultra-short summary or a more analytical version.