Roughly $16.69 billion in crypto losses trace back to hacks, and 40% of that—about $6.7 billion—comes from stolen private keys, not broken smart contracts or blockchain bugs.
That figure comes from DeFiLlama data, corroborated by CertiK and two security firms I trust: Pharos and Cysic. The narrative that crypto hacks are mostly code exploits is a convenient lie the industry tells itself. The real vulnerability is operational: people, servers, and third-party tools that handle private keys when they actually get used.
Key management is the real attack surface, not the cryptography
Le Fan, CEO of ZK Proof Layer Cysic, put it bluntly: “Private key hacks aren’t a cryptography failure — they’re a key-management failure the industry keeps mislabeling. The curve math is unbreakable.”
Think about it: a private key that never touches a device or a server is statistically safe. But the moment you use it to sign a transaction, it lives inside a running service surrounded by cloud credentials, software dependencies, and humans. CertiK told CoinDesk that “operational security incidents are rising while smart contract exploits are declining, reflecting that attackers typically target the weakest points.”
Wish Wu, co-founder of Pharos, traces the design flaw back to blockchain architecture: “Most blockchain infrastructure was originally built for a single-user, single-key model — one private key controls everything, and if that key is lost or stolen, all the assets are gone instantly.” That’s weaker security than a traditional bank account that requires multi-signature approval and separation of duties.
The Bybit hack as a case study in supply-chain failure
February 2025’s Bybit hack is the poster child. Attackers compromised the software supply chain of a third-party developer tool, injected malicious code into the wallet’s web interface, and tricked executives into signing away $1.5 billion in Ethereum. No smart contract was exploited. A single operational pathway—a compromised dependency—was enough.
Private key hacks fall into two categories: brute-force attacks and unknown-method leaks where nobody knows how the key got out. Both account for that 40% figure. The remaining 60%? Smart contract bugs, oracle manipulation, and reentrancy attacks. But the trend is clear: attackers follow the path of least resistance, and that path now runs through key-management systems.
The industry is waking up. Multi-party computation, account abstraction, and hardware-based key custody are getting serious investment. But as Wu noted, “the number of routes through which an attack can be launched has increased significantly — cloud systems, third-party tools, social media accounts, and the people operating them.”
Until every project treats private keys like an industrial control system rather than a password, the $16.69 billion figure will keep climbing.
Source: Private keys, not smart contracts, caused 40% of crypto's $16 billion hack losses. Here's whats being done.
Domain: coindesk.com
Comments load interactively on the live page.