The Shift No One Saw Coming

Then 2025 happened.

Infrastructure Is the New Attack Surface

According to TRM Labs' 2026 Crypto Crime Report, infrastructure attacks—targeting private keys, wallet infrastructure, and privileged access—drove $2.2 billion in losses across 45 incidents. That's 76% of total crypto theft for the year. The average breach? $48.5 million.

These weren't amateur operations. North Korean actors alone extracted $1.92 billion by systematically compromising key storage and operational foundations. Not smart contracts. Not protocol vulnerabilities. Keys.

The $1.46 billion Bybit breach validated what top-tier adversaries already knew: why hunt for code bugs when you can go straight to the signing infrastructure?

The Pattern Every CISO Needs to Understand

When most people think about private keys, they think about storing them somewhere—either in whole or in part. The entire security industry is built on that assumption. HSMs harden the storage. MPC distributes it across multiple parties. Vaults encrypt it. Each approach competes on how well it protects the secret.

But here's what 2025 proved: at signing time, something has to reconstruct. Whether it's a key materializing inside an HSM, MPC shares combining to perform the operation, or a vault decrypting stored material—there's a moment when the secret exists in a form that can be extracted.

That's the moment everything is lost.

The drifter attack drove this home. Organizations following industry best practices—good operational security, vetted infrastructure, compliant processes—still had keys extracted and funds stolen. They did everything right on paper. It didn't matter.

What Attackers Actually Target

The shift is structural. Adversaries aren't scanning GitHub for vulnerable contracts anymore. They're:

• Compromising wallet orchestration layers
• Extracting keys from signing infrastructure during operational use
• Targeting the exact moment secrets reconstruct for transaction signing
• Exploiting the fact that if a key has to exist somewhere to be used, it can be stolen

This isn't about better firewalls or stricter access controls. Those matter, but they're defending the wrong perimeter. As long as the signing process requires a standing secret—even for microseconds—the attack surface remains.

The Assumption That Broke

The fundamental assumption in every major breach is the same: to use a cryptographic secret, you have to keep it. Store it securely, distribute it carefully, encrypt it properly—but it has to exist over time.

What if it didn't?

When a secret is calculated at the point of use under strict policy conditions—identity verified, quorum satisfied, device attested—and then immediately destroyed, you can't steal what isn't there. No standing keys. No reconstruction moment. No window for extraction.

What This Means for 2026

Insurers are already moving. Premiums are rising, and underwriters are differentiating pricing based on hot wallet exposure and key architecture. Post-Bybit, every CISO in crypto and finance is being asked the same question: if attackers compromise your signing infrastructure during an operation, what gets taken?

The organizations that answer "nothing, because the key doesn't exist before or after the signature" are the ones that will remain operational when the next $1.4 billion headline drops.

The code might be perfect. But if the key exists, the key can be stolen. 2025 made that brutally clear.

Source: https://www.trmlabs.com/reports-and-whitepapers/2026-crypto-crime-report