Self-Custody in Crypto: The $8.5 Billion Security Dilemma and How to Fix It

Self-Custody: The Double-Edged Sword of Crypto Innovation

Self-custody—the ability to personally control cryptocurrency without relying on governments or banks—stands as one of blockchain’s most transformative innovations. Yet it is also the leading cause of thefts plaguing the industry, with compromised private keys accounting for $8.5 billion in stolen onchain assets. This staggering figure represents nearly half of all hacks over the past decade, according to DefiLlama data.

The $8.5 Billion Problem: Why Self-Custody Fails

The sheer scale of losses raises critical questions about the viability of self-custody—and the $2.7 trillion industry built around it. While self-custody offers unparalleled control, its security vulnerabilities have become a glaring weak point.

David Schwed, Chief Operating Officer at SVRN and a cybersecurity expert who led digital asset development for BNY Mellon, told DL News that the issue stems from industry-wide neglect of security best practices.

“Projects operate on shoestring budgets, are incentivized to build quickly, and resist what they view as excessive security measures,” Schwed explained. “To make self-custody safe, projects must hire seasoned chief information security officers and empower them to assemble expert teams to implement robust security systems.”

Recent Hacks Expose Critical Weaknesses

The crypto industry has faced a crisis of confidence following two high-profile hacks in recent weeks. North Korean hackers stole a combined $579 million from decentralized finance (DeFi) projects Drift and Kelp DAO, triggering widespread skepticism about DeFi’s trade-offs.

Unlike previous attacks that exploited code vulnerabilities, these hacks targeted weak points in project security and third-party infrastructure:

• Drift: Hackers infiltrated the project’s internal systems by tricking contributors into downloading malware after a months-long social engineering campaign.
• Kelp DAO: Attackers compromised infrastructure providers in LayerZero’s decentralized verifier network, which Kelp DAO relied on to authorize fund releases.

Why Security Takes a Backseat in Crypto Development

Several factors contribute to the industry’s security shortcomings, according to Schwed:

• Investor Pressure: Early-stage crypto projects face intense pressure to rapidly develop and launch products to gain market traction. Speed often trumps security in competitive environments.
• First-Mover Advantage: Projects that reach the market quickly, such as Aave (founded as ETHLend in 2017) and Uniswap (launched in 2018), often dominate their sectors, reinforcing the rush to launch.
• Cost Constraints: Hiring a competent security team—including a chief information security officer and 3-5 experts—can strain even well-funded projects’ budgets.
• Startup Culture: Many crypto startups prioritize agility over security, viewing stringent controls as obstacles to innovation.

“A strong chief information security officer will implement controls that developers may perceive as roadblocks,” Schwed noted. “Balancing security with usability remains a persistent challenge.”

Can Self-Custody Be Made Safe?

Despite its risks, Schwed emphasizes that self-custody can be secured with the right approach. Projects must:

• Invest in experienced security leadership and teams.
• Adopt rigorous security frameworks and audits.
• Prioritize security over speed in development cycles.
• Educate users on best practices for private key management.

The path forward requires a cultural shift—one where security is not an afterthought but a foundational pillar of crypto innovation.