Crypto projects continue to face frequent exploits and security breaches, but new industry analysis indicates that the largest source of losses is no longer blockchain technology itself. Instead, compromised private keys have become one of the leading causes of stolen digital assets.
According to data from DeFiLlama, blockchain projects have collectively lost approximately $16.66 billion through hacks, decentralized finance (DeFi) exploits, and bridge attacks. Around 40% of those losses resulted from attackers obtaining private keys rather than exploiting vulnerabilities in blockchain protocols or smart contracts.
Crypto projects lost more than $84 million to hacks in May 2026, driven by bridge exploits, smart contract vulnerabilities, and operational security failures. The latest incidents highlight persistent risks as attackers continue targeting blockchain infrastructure and digital asset platforms.
Crypto projects lost over $450 million to phishing, exploits, and infrastructure attacks in Q1 2026, highlighting persistent security risks despite stronger smart contract protections. The findings come as the crypto industry experiences another active period of cyberattacks. Security monitoring data also shows that Q2 2026 recorded 85 separate hacks, making it the most active quarter by the number of incidents, even though total financial losses remained below previous record highs.
The report underscores a broader shift in attack patterns. While smart contract security has improved through audits and formal verification, attackers have increasingly focused on operational security weaknesses, including credential theft, cloud infrastructure, third-party software, and human error.
Experts Say Operational Security Has Become the Primary Attack Surface
A private key functions as the cryptographic credential that authorizes blockchain transactions. Unlike passwords for traditional online banking services, private keys cannot be reset if lost or stolen. Whoever controls the private key effectively controls the associated digital assets.
Security researchers classify private key compromises into two primary categories: brute-force attacks that attempt to discover keys through computation, and incidents where keys are leaked through unknown or indirect methods such as compromised infrastructure or operational failures.
Leo Fan, founder and CEO of Cysic, said the industry’s challenge lies in protecting key management rather than improving cryptography.
“Private key hacks aren’t a cryptography failure – they’re a key-management failure the industry keeps mislabeling. The curve math is unbreakable.”
Fan explained that private keys become vulnerable once they are actively used within online services, where they interact with cloud infrastructure, software dependencies, credential storage systems, and personnel responsible for maintaining operations.
Wish Wu, co-founder and CEO of Pharos, similarly noted that blockchain ecosystems now face a significantly broader attack surface than in previous years. Cloud platforms, third-party development tools, social media accounts, and operational personnel have all become potential entry points for attackers.
Both executives cited the February 2025 Bybit hack as an example of this evolving threat landscape. In that incident, attackers reportedly compromised a third-party software supply chain, inserted malicious code into the wallet interface, and ultimately deceived executives into approving unauthorized Ethereum transactions worth approximately $1.5 billion.
Industry Moves Toward Stronger Wallet Security
Security specialists say the industry is adopting technologies such as Multi-Party Computation (MPC) wallets, account abstraction, passkey-based authentication, hardware wallet enforcement, and stronger key management to reduce reliance on a single private key.
MPC distributes transaction authorization across multiple participants, while account abstraction adds security features such as spending limits, approved address lists, and recovery options. More than 100.8 million smart contracts have been analyzed, with approximately 4.24 million flagged as scam contracts, including 3.41 million identified during the past 30 days, highlighting the growing scale of blockchain security threats.
