Here’s a clear, professional paraphrased version with a smooth, media-style tone:
The crypto industry is gradually addressing vulnerabilities tied to private keys, though progress remains uneven, according to Pharos co-founder and CEO Wish Wu.
High-profile hacks and exploits draining millions from crypto projects have become a near-daily occurrence, to the point where such incidents risk fading into routine headlines.
Despite the scale of these breaches, the core issue isn’t typically the underlying blockchain technology. Instead, most attacks stem from compromised private keys rather than flaws in smart contracts or protocol design.
Data from DeFiLlama shows that blockchain projects have collectively lost $16.69 billion to hacks, DeFi exploits, and bridge attacks. Roughly 40% of those losses are linked to stolen or exposed private keys, not weaknesses in blockchain systems.
Put simply, private keys function much like passwords. In traditional banking, the infrastructure that stores and transfers funds is rarely breached directly; instead, attackers exploit leaked or stolen login credentials. Similarly, blockchain code and smart contracts are generally robust, but private keys—the equivalent of passwords—are repeatedly compromised.
Security firm CertiK noted that while smart contract vulnerabilities are declining, operational security incidents are increasing. As projects invest heavily in securing code, attackers are shifting focus to weaker, overlooked areas.
Each crypto wallet relies on two keys: a public key, which is shared to receive funds, and a private key, which proves ownership and authorizes transactions. Unlike traditional systems, however, there is no recovery mechanism if a private key is lost. Whoever controls it has full access to the associated assets.
Private key breaches generally occur in two ways: brute-force attacks, where hackers attempt to guess the key, and unknown leaks, where keys are exposed through unclear or indirect methods. Together, these account for about 40% of total crypto losses, highlighting that many vulnerabilities exist outside blockchain infrastructure itself.
Leo Fan, founder of Cysic, emphasized that these incidents are not failures of cryptography but of key management, noting that the underlying mathematical systems remain secure.
The risks surrounding private keys mirror those of passwords. A key that is never used or stored is nearly impossible to steal, but once it is used, saved, or shared, the chances of compromise increase significantly.
Fan explained that operational keys must remain active—or “hot”—to function, meaning they exist within live systems that involve software, cloud services, and human interaction. These surrounding layers are often where breaches occur.
In practice, private keys used to sign transactions reside on servers alongside credentials, dependencies, and personnel, creating multiple potential points of failure.
Wu traced the issue back to early blockchain design, which often relied on a single-key model. In such systems, one private key controls all assets, and if it is compromised, everything can be lost instantly. This contrasts sharply with traditional finance, which uses layered security measures such as multi-party approvals and role separation.
He also highlighted the growing number of attack vectors, including cloud infrastructure, third-party tools, social media accounts, and human operators—all of which can be exploited.
Both Wu and Fan pointed to the February 2025 Bybit hack as a case study. Attackers infiltrated a third-party software supply chain, inserting malicious code into a wallet interface and tricking executives into authorizing transactions that resulted in a $1.5 billion loss in Ethereum.
To address these risks, the industry is exploring several solutions, though adoption remains inconsistent. Wu cited developments such as multi-party computation (MPC) wallets, account abstraction with social recovery, passkey authentication, hardware wallet enforcement, and improved key management practices.
However, he noted that these features are often optional add-ons rather than foundational elements of blockchain design, with many protocols still treating security as secondary.
Fan highlighted a key shift underway: reducing reliance on a single private key altogether. Technologies like MPC and threshold signing distribute control so that no single entity holds the full key, eliminating a single point of failure.
Account abstraction adds further safeguards by enabling customizable rules, such as spending limits, approved address lists, and backup guardians, ensuring that even if one signer is compromised, funds cannot be drained entirely.
Wu stressed that the path forward requires treating security as an ongoing discipline rather than a one-time audit. This includes embedding security throughout development, deployment, and operations, while recognizing that human factors—awareness, training, and culture—often represent the weakest link.
If you want, I can shorten this into a tight 4–5 paragraph news brief or make it more analytical.
About The Author
More Stories
Nasdaq Pushes Market Data Onto Blockchain Rails in Distribution Expansion
Bitcoin’s Tight $59K–$60K Range Raises Risk of Sharp Breakdown
Bitcoin Slides Toward 2024 Lows as Traders Rush for Downside Hedges