The widespread adoption of cryptocurrency continues to be plagued by security threats, with a staggering $1.7 billion worth of crypto assets lost to theft of private keys in 2024, according to a new report by cybersecurity firm Hacken.
In the 2024 Web3 Security Report, Hacken identifies the theft of private crypto keys as the most “significant” risk facing crypto investors. Strikingly, the report highlights that the prevalence of smart contract exploits is far less frequent compared to the theft of private crypto keys.
“Access control exploits – closely linked to private key compromises – accounted for nearly 75% of total crypto hack losses in 2024, rising from 50% in 2023. This equates to nearly $1.7 billion lost across Web3, representing a sharp increase from less than $1 billion the previous year,” the report states. By contrast, smart contract vulnerability exploits contributed to just 14% of total losses in 2024, highlighting the dominance of unauthorized access and private key theft as a security threat.
Private keys, which are unique strings of letters, words, and numbers generated by crypto wallets, serve a dual purpose: they authorize transactions and prove ownership. They are also paramount in encrypting data and assets to safeguard them from theft.
Hacken’s report goes on to outline four primary reasons behind the theft of private keys: use of insecure management platforms, falling prey to social engineering campaigns, insecure data backups, and vulnerabilities within single-signature schemes of crypto wallets.
The largest exploit of 2024, according to Hacken, was the attack on WazirX, a centralized Indian crypto exchange. Despite employing a robust multi-party security system, the exchange suffered a breach due to unauthorized fund movements from their wallets, resulting in the theft of over $230 million worth of digital assets.
“WazirX utilized a Gnosis Safe multisig wallet requiring 4 out of 6 signatures for transactions. Five of the keys were managed by WazirX, while the sixth was held by Liminal, a digital asset custody provider. The attacker managed to manipulate the system, obtaining signatures from three WazirX signers and one from Liminal, allowing them to upgrade the wallet to a malicious contract and siphon off the funds,” the report said.
As the world continues to grapple with the shift towards digital currencies, the report by Hacken serves as a stark reminder of the industry’s security challenges. Measures to enhance the secure management of private keys, and the need for greater vigilance to prevent unauthorized access, are evidently paramount in securing the future of cryptocurrency.
