- Roughly $16.69 billion has been lost to crypto hacks, with about 40% tied to stolen private keys rather than flaws in blockchains or smart contracts.
- Security experts say most losses stem from key-management and operational failures in systems, people and third-party tools, not from broken cryptography.
- The industry is turning to multi-party computation, account abstraction and stronger, built-in security practices to reduce reliance on single private keys and make attacks harder to execute.
Crypto projects losing millions due to exploits and hacks are becoming almost daily headlines. So much so that some of this news had almost become background noise.
While hacks are a big deal in the tech industry, the problem leading to these exploits in crypto isn't the technology itself; rather, it's the compromised "private key."
Blockchain projects have lost a total of $16.69 billion to hacks, DeFi exploits, and bridge attacks, according to data source DeFiLlama. About 40% of that amount is tied to someone obtaining a private key, rather than to a flaw in blockchain technology or a smart contract vulnerability.
In simple terms, private keys are like passwords. Think of online banking. The core infrastructure and systems that actually move and store users' money in traditional banks rarely get breached directly. But passwords get leaked or hacked, and malicious actors can gain access to millions of dollars online. That's the equivalent of the blockchain and smart contract code, and it's generally been solid. What's been compromised, again and again, is the private key or the equivalent of a password.
"We are observing that operational security incidents are rising while smart contract exploits are declining, reflecting that attackers typically target the weakest points. As projects have focused their security investments on smart contracts, other critical areas have been left exposed," CertiK, one of the leading blockchain and Web3 security firms, told CoinDesk.
Crypto hacks: Total hacked by technique. (DeFiLlama)
How the hacks happen
Every crypto wallet has two key numbers. One is public, like a bank account number, which users share to receive money. The other is private, a string of characters like a user's bank password, that proves ownership of funds in their wallet and lets them spend them.
But here is where it gets more complicated. If a user loses this private key, there is no bank-like option to reset it, no private banker to help access funds, and no fraud department to file a claim. Whoever holds that key holds the funds, regardless of the tech or code behind that protocol.
Private key hacks fall into two categories: brute-force attacks, where attackers guess or brute-force their way to a user's private key. The second is the unknown method, in which the private key is leaked, but nobody is entirely sure how it happened.
These two methods account for roughly 40% of all crypto hack losses to date, underscoring that the majority of these exploits are not due to blockchain infrastructure but to vulnerabilities outside it.
Le Fan, founder and CEO of ZK Proof Layer Cysic, put it bluntly: "Private key hacks aren't a cryptography failure - they're a key-management failure the industry keeps mislabeling. The curve math is unbreakable."
Another problem with a private key is similar to the problem with a password. If a password is created and never used, and never written down anywhere, the chance of a hacker stealing it is virtually zero. But once used to log into devices or written down, the chances of those passwords being leaked or stolen increase.
The same logic applies to the private key. The moment they are used, stored, or shared, there is a risk they will be lost or stolen.
"The problem is an operational key has to be hot to be useful, so it lives inside a running service surrounded by secret stores, dependencies, and humans, and that's what gets breached," Fan said.
In other words, a private key that's actually used to sign blockchain transactions lives on a server, surrounded by cloud credentials, software dependencies, and the people who manage it all. This surrounding mess is where things often go wrong.
Wish Wu, co-founder and CEO of Pharos, traces the same problem back to how blockchain systems were designed in the first place.
"Most blockchain infrastructure was originally built for a single-user, single-key model, one private key controls everything, and if that key is lost or stolen, all the assets are gone instantly. This goes against the basic security principles that traditional finance has relied on for decades: more than one person approving, separation of duties, and several layers of defense," Wu told CoinDesk.
In a way, the system built to revolutionize global finance has weaker security than a typical email account.
Wu added that the number of routes through which an attack can be launched has increased significantly. "Cloud systems, third-party tools, social media accounts, and the people operating them, all of these can become a way in."
Both Wu and Fan pointed to the Bybit hack of February 2025 as an example of a widening attack surface. Attackers compromised the software supply chain of a third-party developer tool, allowing them to inject malicious code into the wallet's web interface and trick executives into unknowingly signing away $1.5 billion in Ethereum.
The fix
The industry is now moving to address the private key vulnerability issue, though not evenly, according to Wu.
"There's progress on many fronts: MPC [multi-party computation] wallets, account abstraction with social recovery, passkey-based login, hardware wallet enforcement, and proper key management SOPs," he said. "The problem is that these are often added as optional extras, instead of being built in from the start at the protocol level. Most chains still treat security as a feature to bolt on, not as a core design principle."
That matches what Cysic's Fan described in his response as the fix gaining traction: stop relying on a single key at all.
Multi-party computation (MPC) and threshold signing split the signing process so the full key never exists in a single place at any given time, and there's nothing for an attacker to steal in a single breach.
Account abstraction, a technology that allows users to utilize smart contracts as their accounts and set their own rules, adds another layer on top: spending limits, approved address lists, and backup guardians built into the wallet itself, so even a compromised signer can't empty the account on their own.
"The way forward is for the industry to treat security as a continuous, day-to-day discipline, not a one-time audit," Wu said.
"That means building security into the whole lifecycle, development, deployment, and operations. It means accepting that the human layer, security culture, awareness, and training, is often the first and weakest line of defense," Wu added.
