Private keys, rather than smart contracts, are responsible for 40% of the $16 billion lost to crypto hacks. The industry is actively working to address the vulnerabilities associated with private keys, although progress is uneven, according to Wish Wu, co-founder and CEO of Pharos. Approximately $16.69 billion has been lost to crypto hacks, with 40% attributed to stolen private keys instead of flaws in blockchain technology or smart contracts. Security experts highlight that most losses arise from failures in key management, operational processes, and reliance on third-party tools, rather than issues with cryptography itself. To mitigate the risks associated with single private keys and make attacks more difficult, the industry is exploring solutions such as multi-party computation, account abstraction, and enhanced security practices. Daily headlines of crypto projects losing millions due to hacks have become almost commonplace, with many dismissing such news as background noise. While hacks pose significant risks in the tech landscape, the underlying problem leading to these exploits is not the technology itself but rather the compromised private key. According to data from DeFiLlama, blockchain projects have suffered a total of $16.69 billion in losses due to hacks, DeFi exploits, and bridge attacks, with around 40% of that amount linked to the acquisition of private keys rather than vulnerabilities in blockchain technology or smart contracts. Essentially, private keys function like passwords. In traditional banking, the core infrastructure and systems that manage users’ funds rarely experience direct breaches; instead, it’s the passwords that are often leaked or hacked, allowing malicious actors to access vast sums of money online. This scenario mirrors that of blockchain and smart contract code, which has generally proven robust. The repeated compromise lies with the private key, akin to a password. CertiK, a prominent blockchain and Web3 security firm, remarked to Decryptnews that operational security incidents are increasing while smart contract exploits are decreasing, indicating that attackers tend to target the most vulnerable areas. As projects have concentrated their security investments on smart contracts, other essential aspects have remained vulnerable. How the hacks unfold Every crypto wallet contains two key identifiers. One is public, similar to a bank account number, which users share to receive funds. The other is private, a series of characters akin to a bank password, which verifies ownership of the funds in their wallet and enables spending. However, complications arise when a user loses their private key, as there is no bank-like option for resetting it, no personal banker to assist in accessing funds, and no fraud department to report the loss. The individual who possesses that key controls the funds, irrespective of the technology or code underpinning that protocol. Private key hacks fall into two main categories: brute-force attacks, where attackers guess or forcibly derive a user’s private key, and unknown methods, where the private key is leaked, but the exact mechanism remains unclear. These two methods account for approximately 40% of all crypto hack losses to date, emphasizing that the majority of these exploits stem from vulnerabilities external to the blockchain infrastructure. Le Fan, founder and CEO of ZK Proof Layer Cysic, bluntly stated, «Private key hacks aren’t a cryptography failure — they’re a key-management failure that the industry continues to mislabel. The underlying mathematics is unbreakable.» Another challenge with private keys resembles the issues faced with passwords. If a password is created but never utilized or recorded, the likelihood of a hacker stealing it is nearly non-existent. However, once it is used to log into devices or documented, the risk of those passwords being leaked or stolen rises significantly. The same principle applies to private keys. The moment they are utilized, stored, or shared, the risk of loss or theft escalates. «The challenge lies in that an operational key must be active to be useful, so it exists within a running service surrounded by secret stores, dependencies, and humans, and that is what gets compromised,» Fan explained. In essence, a private key that is actively used to sign blockchain transactions resides on a server, encircled by cloud credentials, software dependencies, and the personnel managing it all. This surrounding complexity is where many issues arise. Wish Wu, co-founder and CEO of Pharos, traces the root of the problem back to the initial design of blockchain systems. «Most blockchain infrastructure was initially designed for a single-user, single-key model, where one private key controls everything, and if that key is lost or stolen, all assets are instantly gone. This contradicts fundamental security principles that traditional finance has relied on for decades: multiple approvers, separation of duties, and several layers of defense,» Wu told Decryptnews. In a sense, the system intended to revolutionize global finance possesses weaker security than a typical email account. Wu noted that the number of potential attack vectors has significantly increased. «Cloud systems, third-party tools, social media accounts, and the individuals managing them can all serve as entry points for attacks.» Both Wu and Fan highlighted the Bybit hack from February 2025 as an example of an expanding attack surface. Attackers compromised the software supply chain of a third-party developer tool, enabling them to inject malicious code into the wallet’s web interface and deceive executives into unknowingly authorizing the transfer of $1.5 billion in Ethereum. The industry is currently taking steps to address the vulnerability of private keys, albeit with uneven progress, according to Wu. «There are advancements in various areas: MPC [multi-party computation] wallets, account abstraction with social recovery, passkey-based logins, hardware wallet enforcement, and effective key management standard operating procedures,» he stated. «The issue is that these measures are often implemented as optional additions rather than being integrated from the outset at the protocol level. Most chains still regard security as a feature to be tacked on, rather than a core design principle.» This aligns with Cysic’s Fan’s description of the solution gaining momentum: eliminating reliance on a single key altogether. Multi-party computation (MPC) and threshold signing divide the signing process so that the complete key never exists in a single location at any time, leaving nothing for an attacker to seize in a single breach. Account abstraction, a technology enabling users to utilize smart contracts as their accounts while establishing their own rules, adds another layer: spending limits, approved address lists, and backup guardians embedded within the wallet itself, ensuring that even a compromised signer cannot deplete the account independently. «The path forward requires the industry to view security as a continuous, everyday practice, not a one-time audit,» Wu emphasized. «This means incorporating security into the entire lifecycle: development, deployment, and operations. It also necessitates recognizing that the human aspect, including security culture, awareness, and training, is often the first and most vulnerable line of defense,» Wu added.