Private keys are a $239m security risk, CertiK report says

It’s official: poor private key management is an expensive security risk for crypto investors.

In the first quarter, about $503 million was lost in onchain security breaches, a report from blockchain auditor CertiK said.

Of that figure, almost half — $239 million — was lost in private key compromises, though these kinds of breaches made up just 12% of all security incidents, said the report, published on Wednesday.

The most high-profile of these attacks in the first quarter was sustained by Ripple co-founder and executive chair Chris Larsen in late January.

The breach was first noticed by onchain sleuth ZachXBT, who posted details of an exploit where the culprit drained around 212 million XRP tokens worth about $112.5 million.

Larsen confirmed the attack, but not the amount, saying on X that his personal wallets had been affected by “unauthorised access.”

“We were quickly able to catch the problem and notify exchanges to freeze the affected addresses. Law enforcement is already involved,” he wrote.

Larsen stressed that these were his assets and not those of Ripple.

However, the breach has led to increased calls within the XRP community for more transparency and security, “especially regarding the distinction between personal and organisational assets,” the CertiK report said.

The report also detailed how on March 16, multiple wallets owned by Milady Maker founder Charlotte Fang were compromised to the tune of about $3 million.

A post-mortem found that multi-signature keys were insecurely stored in one Bitwarden account “without adequate backups or safeguards like timelocks on the treasury,” the report said.

“This setup facilitated the theft, highlighting severe lapses in security and risk management.”

More from the CertiK report:

• Private key compromises surged by a whopping 1,171% from the first quarter of 2023, when private key compromises amounted to about $19 million.
• The first three months of 2024 saw 26, while the same period last year saw 11.
• Crypto gaming platform PlayDapp and exchange FixedFloat experienced private key breaches in February that led to losses of approximately $32 million and $26 million, respectively.

Reach out to the author at joanna@dlnews.com.