Finst

Private Keys Drive 40% of Crypto Hack Losses

New industry data from CertiK points to key management as the biggest risk, with MPC wallets and social recovery emerging as answers to private key theft.

Private Keys Drive 40% of Crypto Hack Losses

Key Takeaways

  • About 40% of the $16.69 billion in crypto losses comes from leaked or stolen private keys.
  • CertiK sees operational incidents rising, while smart contract exploits are declining.
  • The industry is leaning more on MPC wallets, account abstraction, hardware wallets, and tighter key management.

Crypto projects are still getting hit by hacks and exploits, but new industry data suggests the biggest vulnerability is not the blockchain itself. Out of the $16.69 billion (€14.6 billion) lost to hacks, DeFi exploits, and bridge attacks, roughly 40% is tied to private keys that were leaked or stolen. That puts key management at the center of the industry’s security problem, while smart contracts are less often the direct source of losses.

Private Keys Are Still the Weak Spot

A private key functions much like the password to a crypto wallet. Once someone has it, they can take control of the funds, and there is no bank-style recovery process or fraud desk that can simply undo the transfer. CertiK says the risk profile is also changing, with operational incidents on the rise even as smart contract exploits become less common.

That lines up with how many of these attacks play out. In some cases, attackers use brute force. In others, it is never fully clear how the key was exposed in the first place. Either way, the outcome is the same: the attacker gains access to the wallet and can move the assets.

Crypto has already seen plenty of major thefts, from the early Mt. Gox hack to the LuBian mining pool hack in 2020, both of which show how much damage can follow when access keys or internal controls fail. Physical attacks on crypto holders also jumped sharply in 2025, underscoring that security risks are not limited to the digital side. That fits with broader warnings that crypto security takes more than just audits, since human mistakes and operational gaps often matter more than code bugs.

Security Is Shifting Toward Key Management

Wish Wu, co-founder and CEO of Pharos, says the industry is trying to close the private key gap, but the response is still uneven. He points to MPC wallets, account abstraction with social recovery, passkey logins, hardware wallets, and tighter key management practices as tools that are gaining traction. Even so, he notes that many of these protections are still being bolted on as optional features instead of being designed into the protocol from day one.

Cysic founder Le Fan is even more direct. In his view, the issue is not cryptography itself, but key management. The math behind the curve is not the problem; the real weakness is how keys are stored, used, and protected.

What This Means for European Readers

For European crypto investors, the takeaway is that security is becoming more about operational discipline than about code audits alone. That applies to exchanges, custody providers, and users who hold their own crypto. Multi-signature wallets and other shared-approval setups could become especially important for larger balances, where relying on a single key creates too much risk.


Disclaimer: This content is for informational purposes only and does not constitute financial, investment, legal, or tax advice. The information provided may be incomplete, inaccurate, or outdated and should not be relied upon as such. Nothing on this website should be considered a recommendation to buy, sell, or hold any cryptocurrency. Investing in crypto-assets involves risk of loss.