
Here’s a sharper, more compact rewrite with a crisp, professional tone:
The crypto industry is gradually confronting risks tied to private keys, though adoption of solutions remains uneven, according to Pharos co-founder and CEO Wish Wu.
While multimillion-dollar hacks have become a regular feature in crypto headlines, the root cause is rarely a failure of blockchain technology. Instead, compromised private keys are behind a large share of these breaches.
Figures from DeFiLlama show the sector has lost $16.69 billion to hacks, DeFi exploits, and bridge attacks, with about 40% linked to stolen or exposed private keys rather than flaws in smart contracts.
Private keys function much like passwords. Blockchain systems themselves have held up well, but attackers continue to exploit weak key management practices to gain access to funds.
According to CertiK, smart contract vulnerabilities are declining, while operational security incidents are increasing as attackers shift toward easier entry points.
Crypto wallets rely on a public key for receiving funds and a private key to authorize transactions. Unlike traditional finance, there is no recovery option—whoever controls the private key controls the assets.
Most private key breaches occur either through brute-force attempts or unexplained leaks, together accounting for a substantial portion of total losses.
Cysic CEO Leo Fan said these incidents are not failures of cryptography but of key management, as the underlying math remains secure.
Risk rises once keys are used or stored. Because they must remain active to sign transactions, they are exposed within live systems involving cloud services, software dependencies, and human operators—common points of compromise.
Wu noted that early blockchain systems were built around a single-key model, where one compromised key can lead to total loss. This contrasts with traditional finance, which relies on layered controls and multiple approvals.
He also highlighted the expanding attack surface, including cloud infrastructure, third-party tools, social media, and human error.
The February 2025 Bybit hack underscored these risks. Attackers breached a third-party software supply chain, injected malicious code, and tricked executives into approving transactions that resulted in a $1.5 billion Ethereum loss.
To address the issue, the industry is exploring solutions such as multi-party computation (MPC), account abstraction, passkey authentication, hardware wallets, and stronger operational practices. However, these measures are often implemented as add-ons rather than built into protocols.
Fan pointed to a growing shift toward eliminating single points of failure through distributed key control, such as MPC and threshold signing.
Account abstraction adds further protections, including spending limits and recovery options, reducing the risk of total loss even if one signer is compromised.
Wu emphasized that security must be treated as an ongoing discipline across development and operations, noting that human factors—awareness, training, and culture—remain one of the weakest links.
If you want, I can tighten this further into a brief or make it more opinionated/analytical.






