Private keys, not smart contracts, caused 40% of crypto's $16 billion hack losses. Here's whats being done.

Crypto projects losing millions due to exploits and hacks are becoming almost daily headlines. So much so that some of this news had almost become background noise.

While hacks are a big deal in the tech industry, the problem leading to these exploits in crypto isn't the technology itself; rather, it's the compromised "private key."

Blockchain projects have lost a total of $16.69 billion to hacks, DeFi exploits, and bridge attacks, according to data source DeFiLlama. About 40% of that amount is tied to someone obtaining a private key, rather than to a flaw in blockchain technology or a smart contract vulnerability.

In simple terms, private keys are like passwords. Think of online banking. The core infrastructure and systems that actually move and store users' money in traditional banks rarely get breached directly. But passwords get leaked or hacked, and malicious actors can gain access to millions of dollars online. That's the equivalent of the blockchain and smart contract code, and it's generally been solid. What's been compromised, again and again, is the private key or the equivalent of a password.

"We are observing that operational security incidents are rising while smart contract exploits are declining, reflecting that attackers typically target the weakest points. As projects have focused their security investments on smart contracts, other critical areas have been left exposed," CertiK, one of the leading blockchain and Web3 security firms, told CoinDesk.

How the hacks happen

Every crypto wallet has two key numbers. One is public, like a bank account number, which users share to receive money. The other is private, a string of characters like a user's bank password, that proves ownership of funds in their wallet and lets them spend them.

But here is where it gets more complicated. If a user loses this private key, there is no bank-like option to reset it, no private banker to help access funds, and no fraud department to file a claim. Whoever holds that key holds the funds, regardless of the tech or code behind that protocol.

Private key hacks fall into two categories: brute-force attacks, where attackers guess or brute-force their way to a user's private key. The second is the unknown method, in which the private key is leaked, but nobody is entirely sure how it happened.

These two methods account for roughly 40% of all crypto hack losses to date, underscoring that the majority of these exploits are not due to blockchain infrastructure but to vulnerabilities outside it.