CertiK reports operational security incidents are rising as attackers target key management. MPC wallets and account abstraction aim to reduce single-key risk, but adoption remains uneven.
Private-key compromises, not smart-contract exploits, account for roughly 40% of the $16.69 billion lost to crypto hacks since tracking began, according to data from DeFiLlama and security firms.
Blockchain projects lost that total to hacks, DeFi exploits, and bridge attacks. About $6.7 billion of it stems from someone obtaining a private key rather than from a flaw in blockchain code.
CertiK, a leading blockchain security firm, told CoinDesk it is observing operational security incidents rising while smart contract exploits decline. "As projects have focused their security investments on smart contracts, other critical areas have been left exposed," the firm said.
Every crypto wallet uses two keys: a public key for receiving funds and a private key for spending them. Lose the private key, and there is no bank to call. Whoever holds the key controls the funds.
The problem, Fan said, is that an operational key has to be hot to be useful: it lives inside a running service surrounded by secret stores, dependencies, and humans. That surrounding mess is what gets breached.
Wish Wu, co-founder and CEO of Pharos, traces the same issue back to design.
The February 2025 Bybit hack crystallized the expanding attack surface. Attackers compromised the software supply chain of a third-party developer tool, injected malicious code into the wallet's web interface, and tricked executives into signing away $1.5 billion in Ethereum.
Private key hacks fall into two categories: brute-force attacks and unknown methods where the key is leaked without explanation. These two buckets account for roughly 40% of all crypto hack losses to date, CertiK said. The majority of exploits are not due to blockchain infrastructure but to vulnerabilities outside it.
Both Wu and Fan pointed to the rising number of entry routes. "Cloud systems, third-party tools, social media accounts, and the people operating them – all of these can become a way in," Wu said.
The industry is moving to address the vulnerability, though not evenly, according to Wu. Multi-party computation (MPC) and threshold signing split the signing process so the full key never exists in a single place at any given time. Account abstraction adds spending limits, approved address lists, and backup guardians built into the wallet itself. Passkey-based login and hardware wallet enforcement are also gaining ground.
"There's progress on many fronts," Wu said. "The problem is that these are often added as optional extras, instead of being built in from the start at the protocol level. Most chains still treat security as a feature to bolt on, not as a core design principle."
Wu said the way forward is for the industry to treat security as a continuous discipline, not a one-time audit. "That means building security into the whole lifecycle – development, deployment, and operations. It means accepting that the human layer, security culture, awareness, and training, is often the first and weakest line of defense."
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.