Here’s a more concise, polished rewrite with a strong newsroom flow:
The crypto industry is starting to address vulnerabilities tied to private keys, though progress remains uneven, according to Pharos co-founder and CEO Wish Wu.
Major hacks draining millions from crypto platforms have become increasingly common, but the underlying issue is rarely the blockchain itself. Instead, most breaches stem from compromised private keys.
Data from DeFiLlama shows total losses from hacks, DeFi exploits, and bridge attacks have reached $16.69 billion, with roughly 40% linked to private key exposure rather than smart contract flaws.
Private keys act like passwords. While blockchain infrastructure has proven largely secure, attackers often gain access by exploiting leaked or mishandled credentials.
CertiK reports that as smart contract vulnerabilities decline, operational security failures are rising, with hackers targeting weaker, off-chain entry points.
Crypto wallets rely on a public key to receive funds and a private key to authorize transactions. Unlike traditional systems, there is no recovery mechanism—control of the key means control of the assets.
Most private key breaches occur through brute-force attempts or unclear leakages, together accounting for a significant share of total losses.
Cysic CEO Leo Fan said these incidents highlight failures in key management, not cryptography, which remains robust.
The risk increases once keys are actively used, stored, or shared. Because they must remain “hot” to function, they exist within live systems exposed to software, cloud infrastructure, and human interaction—common points of compromise.
Wu noted that early blockchain designs relied on single-key control, where one compromised key can result in total loss. This stands in contrast to traditional finance, which uses layered approvals and separation of duties.
He also pointed to a growing attack surface, including cloud platforms, third-party tools, social media, and human operators.
The February 2025 Bybit hack illustrates the risk: attackers infiltrated a third-party software supply chain, inserted malicious code, and tricked executives into approving transactions that led to a $1.5 billion Ethereum loss.
To address these challenges, the industry is adopting solutions such as multi-party computation (MPC), account abstraction, passkeys, hardware wallets, and improved operational standards. However, these measures are often optional rather than embedded at the protocol level.
Fan said the shift toward distributed key control—through MPC and threshold signing—aims to remove single points of failure.
Account abstraction adds further safeguards like spending limits and recovery mechanisms, preventing a single compromised signer from draining funds.
Wu emphasized that security must be treated as a continuous process across development and operations, noting that human factors—training, awareness, and culture—remain one of the weakest links.
Let me know if you want an ultra-short version or a more analytical rewrite.
