Biphoo News

collapse
Home / Daily News Analysis / Private keys, not smart contracts, caused 40% of crypto's $16 billion hack losses. Here's whats being done.

Private keys, not smart contracts, caused 40% of crypto's $16 billion hack losses. Here's whats being done.

Jul 02, 2026  Twila Rosenbaum  25 views
Private keys, not smart contracts, caused 40% of crypto's $16 billion hack losses. Here's whats being done.

The cryptocurrency industry has long grappled with the perception that its decentralized architecture is a security liability. Yet the data tells a more nuanced story: the vast majority of losses do not stem from broken cryptography or smart contract bugs, but from a far more mundane vulnerability—the theft of private keys. According to recent industry analyses, roughly $16.69 billion has been lost to crypto-related hacks, with approximately 40% directly attributable to compromised private keys. This statistic challenges the common narrative that blockchain technology itself is the weakest link and instead points the finger at human and operational factors.

Private keys are the digital credentials that grant ownership and control over crypto assets. They function much like a password, but with a critical distinction: there is no recovery mechanism if a key is lost or stolen. Unlike traditional finance, where a bank can reverse fraud or freeze an account, blockchain transactions are immutable and irreversible once confirmed. This makes private key security paramount. Yet despite the existence of robust cryptographic algorithms, the practical management of keys remains fraught with risk. Wallets, exchanges, custodial services, and individual users all store private keys in various forms—on hardware devices, in software applications, or even on paper—and each storage method introduces its own vulnerabilities.

The scale of the problem

The $16.69 billion figure represents cumulative losses from hacks, exploits, and thefts across the crypto ecosystem. While smart contract vulnerabilities have accounted for a significant share, the data from multiple security firms and blockchain analytics providers indicates that private key theft is the single largest category. Notable incidents include the 2022 Ronin bridge hack, where attackers stole over $600 million by compromising the private keys of validators, and the 2023 Multichain exploit that saw nearly $130 million drained after a key management failure. Even high-profile exchange hacks, such as the 2014 Mt. Gox collapse and the 2023 Poloniex attack, ultimately traced back to compromised or poorly secured keys.

Security experts like Wish Wu, co-founder and CEO of Pharos, emphasize that the problem is not technological but operational. 'The industry is moving toward fixing the private key vulnerability issue, just not evenly,' Wu said in a recent interview. He noted that while some organizations have implemented sophisticated key management solutions, many others still rely on outdated practices such as storing private keys in plain text files, using weak passwords to protect encrypted wallets, or failing to rotate keys regularly. Supply chain attacks, where third-party tools are infected with malware, also contribute to key leakage.

Root causes: human error and systemic flaws

At the core of private key vulnerabilities lies a combination of human error, inadequate training, and fragmented security standards. Many users misunderstand the concept of self-custody and mistakenly believe that storing keys on a device or in a cloud service is sufficient. In enterprise settings, the challenge escalates: employees with access to private keys may be targeted by phishing attacks, social engineering, or insider threats. The lack of robust access controls, such as multi-signature or multi-party computation (MPC), further exacerbates the risk.

Another root cause is the immaturity of key management infrastructure in the crypto space. Unlike traditional finance, which has decades of experience developing secure key storage standards like Hardware Security Modules (HSMs) and role-based access, the crypto industry is still evolving. Many projects prioritize speed and convenience over security, leading to shortcuts like embedding private keys in code or using single points of failure. The infamous 2023 LastPass breach, for instance, resulted in the loss of millions of dollars from crypto wallets whose seed phrases were stored in the compromised password manager.

Industry responses: multi-party computation and account abstraction

In response to these persistent vulnerabilities, the crypto industry is increasingly turning to advanced cryptographic techniques that reduce the reliance on a single private key. Multi-party computation (MPC) is one of the most promising solutions. MPC allows a group of parties to collectively compute a function without revealing their individual private inputs. Applied to key management, MPC enables a single private key to be split into multiple shards distributed among different devices or parties. Transactions can only be signed if a threshold number of shards are combined, making it exponentially harder for an attacker to compromise the entire key. Companies like Fireblocks, ZenGo, and Qredo have commercialized MPC-based wallets for institutional and retail use.

Account abstraction is another emerging paradigm, particularly on Ethereum and other smart contract platforms. With account abstraction, the user's account is represented by a smart contract that can enforce arbitrary authorization logic. This means private keys can be replaced with more flexible security models, such as social recovery (where trusted friends can help regain access), time-locks, or integration with hardware security keys. Protocols like ERC-4337 have made account abstraction a reality on Ethereum, and major wallets like Argent and Safe have adopted it. However, adoption remains uneven. While MPC and account abstraction offer significant improvements, they also introduce new complexity. MPC requires careful coordination between shard holders, and account abstraction demands more gas and user education.

Beyond these technical solutions, the industry is also focusing on operational improvements. Regular security audits, penetration testing, and employee training are becoming standard for reputable projects. Some jurisdictions are moving to impose regulatory requirements for private key management, especially for custodial exchanges and custodians. For example, the European Union's MiCA regulation includes provisions for safeguarding customer assets, which indirectly pressures firms to adopt secure key storage practices. Meanwhile, the crypto community is developing best practices guides and standards organizations, such as the CryptoCurrency Security Standard (CCSS) and the Blockchain Security Standards Council.

Challenges and uneven adoption

Despite these advancements, the problem persists because adoption is uneven. Small and medium-sized projects, as well as individual users, often lack the resources or expertise to implement state-of-the-art solutions. Hardware wallets, while effective, require users to manage seed phrases correctly, and many still fall victim to phishing scams. Corporate treasuries that hold large amounts of crypto sometimes delegate key management to third-party custodians, but recent incidents like the BitGo and Gemini Earn failures illustrate that custodians themselves can be compromised.

Another challenge is the tension between security and usability. Stronger key management often introduces friction—multi-sig transactions take longer, MPC requires multiple approvals, and account abstraction can be confusing for non-technical users. This friction can lead to user resistance, especially in fast-moving markets where speed is crucial. Some projects have attempted to balance ease of use with security by offering tiered security options, but this creates complexity for both developers and end users.

Wish Wu of Pharos emphasized that the industry must move collectively. 'No single solution will eliminate private key theft entirely, but by combining MPC, account abstraction, and better operational discipline, we can raise the bar significantly,' he said. He also noted that the incentive structure in crypto often favors speed and marketing over security, especially during bull markets when users are eager to move funds quickly. However, as institutional adoption grows and regulators scrutinize the space more closely, the pressure to improve key management practices will likely intensify.

Large-scale hacks continue to occur, demonstrating that vulnerabilities remain. In the first half of 2026 alone, several notable incidents have been attributed to private key theft, including a $170 million exploit at a major lending protocol and a $45 million drain from a decentralized exchange's treasury wallet. These events serve as stark reminders that no amount of smart contract auditing can compensate for weak key management. The industry is slowly learning that security must be built from the ground up, starting with how keys are generated, stored, and used.

The path forward is clear but demanding. As blockchain technology matures, the tools for secure key management are becoming more accessible. However, the human element remains the greatest variable. Education, standardization, and a cultural shift toward prioritizing security over convenience will be essential to reducing the $16 billion and counting in losses. The crypto industry is at a crossroads: it can either continue to repeat the same mistakes or embrace the lessons of past hacks to build a more resilient foundation.


Source: Coindesk News


Share:

Your experience on this site will be improved by allowing cookies Cookie Policy