Data from DeFiLlama reveals that blockchain projects have lost a cumulative $16.69 billion to DeFi exploits, bridge attacks, and hacks. Approximately 40% of this total is now attributed to compromised private keys rather than inherent flaws in blockchain technology or smart contract vulnerabilities. This shift indicates that while projects have focused security efforts on auditing code, the “human layer” and operational infrastructure remain exposed.
According to CertiK, a leading blockchain security firm, operational security incidents are rising even as smart contract exploits decline. Attackers are increasingly targeting the weakest points, such as software dependencies and cloud credentials. Reports from the trading firm GSR suggest that focus has shifted toward developer tooling and the human signers behind protocols, leading to a surge in off-chain vulnerabilities throughout 2024 and 2025.
Understanding the private key security gap
Every cryptocurrency wallet operates with a public key and a private key. The private key acts as a permanent password that proves ownership and allows the spending of funds. Unlike a traditional bank account, there is no option to reset a lost or stolen key. If an attacker obtains these characters, they hold the funds, regardless of how robust the protocol’s underlying cryptography may be.
Le Fan, the founder and CEO of Cysic, notes that these incidents represent key-management failures rather than a breakdown of “curve math,” which remains unbreakable. A private key must be “hot” or active to sign transactions, meaning it often resides on servers surrounded by human operators and third-party tools.
This operational environment is where most breaches occur, as the 2025 Bybit heist demonstrated when attackers tricked executives into signing away $1.5 billion in Ethereum.
Recent data underscores the severity of this trend. Wallet compromises accounted for roughly 69% of the value lost in the first half of 2025, totaling about $1.71 billion. Even as the Ethereum recovery outlook remains a topic of technical debate, the security of the keys controlling these assets has become a more pressing concern than the code themselves.
Key details
Several major protocols have suffered massive losses due to key compromises in recent months. On June 8–9, 2026, Humanity Protocol reported a private-key or admin-key breach that resulted in an estimated $32 million to $36 million being stolen. The impact was immediate, with the protocol’s token price collapsing by as much as 90%.
Shortly before this, on May 30, both the Alephium Bridge and Gravity Bridge were hit, losing $815,000 and $5.4 million respectively after attackers gained access to keys.
The largest single exploit of 2026 occurred on a Saturday when an attacker drained approximately 116,500 restaked ETH from the Kelp DAO rsETH bridge. The stolen assets were valued between $290 million and $293 million. These events reflect a broader pattern where infrastructure like bridges, such as the THORChain exploit analysis has shown in previous years, becomes a primary target for sophisticated actors.
Even social and prediction platforms are under fire. On June 25, 2026, Polymarket confirmed that a third-party vendor breach allowed attackers to inject a malicious script into its website. This phishing attempt drained $2.9 million from user wallets. Polymarket also disclosed a separate $700,000 exploit a month prior, which was tied to a six-year-old private key used for internal payment top-ups.
Industrial shifts toward advanced key management
Wish Wu, the co-founder and CEO of Pharos, argues that the industry must move away from the “single-user, single-key” model. Most blockchain systems were originally built with one key controlling everything, which Wu says goes against basic security principles used in finance for decades. He advocates for built-in security at the protocol level rather than treated as an optional feature.
Multi-party computation (MPC) is one solution gaining significant traction. MPC wallets split a private key into shards, ensuring a complete key never exists in one single place. This removes the single point of failure that hackers typically exploit.
Additionally, account abstraction allows for the use of smart contracts as accounts, enabling features like backup guardians and social recovery to protect funds even if one signer is compromised.
Key details
For high-value assets, hardware wallets or “cold storage” remain the gold standard. Devices like those from OneKey keep keys physically isolated from the internet to prevent remote hacking. Security experts recommend purchasing these devices directly from official manufacturers. While altcoin market trends continue to evolve, the fundamental need for robust, offline key storage remains the most effective defense against the rising tide of operational exploits.
Operational security as a continuous discipline
Dyma Budorin, CEO of Hacken, has warned that AI-driven tools are making it easier for attackers to launch wallet-draining schemes at scale. This makes operational security a daily requirement rather than a one-time audit. Industry standards are beginning to prioritize threshold signing and multi-signature (multisig) wallets, which require more than one party to approve a transaction.
The cumulative $16.69 billion lost in the crypto space serves as a stark reminder of the costs of poor key management. As the industry matures, the focus is shifting from the strength of the code to the security of the humans and systems that operate it.
Building security into the entire development and deployment lifecycle is no longer a luxury but a necessity for survival in the current threat environment.