Here’s a tighter, more streamlined rewrite with a clean news tone:
The crypto sector is beginning to tackle risks tied to private keys, though progress is uneven, according to Pharos co-founder and CEO Wish Wu.
Large-scale hacks draining millions from crypto projects have become so frequent they’re almost routine. Yet the root cause is rarely a flaw in blockchain technology itself—more often, it’s compromised private keys.
Data from DeFiLlama shows the industry has lost $16.69 billion to hacks, DeFi exploits, and bridge attacks, with about 40% of that tied to stolen private keys rather than weaknesses in smart contracts or protocols.
Private keys function like passwords. Just as bank systems are rarely breached directly but user credentials often are, blockchain infrastructure has proven resilient, while keys continue to be exposed or mismanaged.
According to CertiK, smart contract exploits are declining, but operational security failures are rising as attackers increasingly target weaker entry points.
Crypto wallets rely on two keys: a public key for receiving funds and a private key that authorizes transactions. Unlike traditional finance, there’s no reset option—whoever controls the private key controls the assets.
Most private key breaches fall into two categories: brute-force attempts and unexplained leaks. Together, they account for a significant share of total losses, underscoring that vulnerabilities often lie outside blockchain code.
Cysic CEO Leo Fan said these incidents reflect poor key management rather than failures in cryptography, which remains fundamentally secure.
The risk increases once keys are used, stored, or shared. Because operational keys must remain active within systems, they are exposed to software dependencies, cloud environments, and human interaction—common points of failure.
Wu noted that early blockchain systems were built around a single-key model, where one key controls all assets. This contrasts with traditional finance, which relies on layered security, shared control, and multiple approval mechanisms.
He also pointed to the expanding attack surface, including cloud services, third-party tools, social media, and human operators.
A key example is the February 2025 Bybit hack, where attackers compromised a third-party software supply chain, injected malicious code, and tricked executives into signing transactions that resulted in a $1.5 billion Ethereum loss.
To reduce these risks, the industry is exploring solutions such as multi-party computation (MPC), account abstraction, passkey authentication, hardware wallets, and stronger operational practices. However, these are often implemented as optional features rather than built-in safeguards.
Fan said a major shift is underway toward eliminating single points of failure, with MPC and threshold signing distributing control so no single key can be compromised.
Account abstraction adds further protections, including spending limits and recovery mechanisms, reducing the risk of total loss even if one signer is breached.
Wu emphasized that security must be treated as an ongoing process, embedded across development and operations. He added that human factors—awareness, training, and security culture—remain one of the most critical and vulnerable layers.
If you want, I can condense this further into a sharp 2–3 paragraph brief or turn it into a headline-driven news piece.
