Private keys, not smart contracts, caused 40% of crypto’s $16 billion hack losses. Here’s whats being done.

“Most blockchain infrastructure was originally built for a single-user, single-key model, one private key controls everything, and if that key is lost or stolen, all the assets are gone instantly. This goes against the basic security principles that traditional finance has relied on for decades: more than one person approving, separation of duties, and several layers of defense,” Wu told CoinDesk.

In a way, the system built to revolutionize global finance has weaker security than a typical email account.

Wu added that the number of routes through which an attack can be launched has increased significantly. “Cloud systems, third-party tools, social media accounts, and the people operating them, all of these can become a way in.”

Both Wu and Fan pointed to the Bybit hack of February 2025 as an example of a widening attack surface. Attackers compromised the software supply chain of a third-party developer tool, allowing them to inject malicious code into the wallet’s web interface and trick executives into unknowingly signing away $1.5 billion in Ethereum.

The fix

The industry is now moving to address the private key vulnerability issue, though not evenly, according to Wu.

“There’s progress on many fronts: MPC [multi-party computation] wallets, account abstraction with social recovery, passkey-based login, hardware wallet enforcement, and proper key management SOPs,” he said. “The problem is that these are often added as optional extras, instead of being built in from the start at the protocol level. Most chains still treat security as a feature to bolt on, not as a core design principle.”