Skip to content

Key & Signer Compromise

Key and signer compromise is one of the highest-impact attacks Common Defense defends against: an attacker seizes a wallet, HSM, or code-signing identity to move funds, ship malicious releases, or authorize actions in your name. We help you prevent it, detect it in progress, and respond when an attacker breaks through.

The largest signer and key compromises

Bybit$1.5B
malicious signing · Feb 2025
Ronin$625M
key theft · Mar 2022
WazirX$230M
key theft · Jul 2024
Radiant$50M
malicious signing · Oct 2024

The record for the largest crypto theft keeps falling to the same move: reach whoever can sign. Ronin started with a fake job offer to one engineer. Bybit’s signers approved a transaction they read as routine.

Stealing the key is optional

Many of these drains never required a stolen key. Attackers got a real signer to approve a malicious transaction through a spoofed interface or a blind-signing prompt. Defending funds means defending the signing decision itself, the moment a person taps approve.

It starts on the communication layer

Nearly every one of these began weeks before the drain, with a message from someone who wasn’t real. We close that path and harden the signers behind it, so one approval can’t end your protocol.

Hardening the way you sign

Most treasury drains come down to how funds move, so that is where the work starts. We review your signer set, quorum policy, and signing hygiene, along with the custody and movement controls that sit between an attacker and the funds. We tighten multisig thresholds, key rotation, and the approval discipline that keeps one bad tap from draining you. We cover the whole signing set too: cosigners, validators, ops staff, and contractors all hold risk, not just the core team. No single person, device, or approval should be able to move the treasury on its own.

How we help

Harden treasury operations

We tighten how your treasury moves funds, from multisig thresholds and key rotation to the approval discipline that stops one bad tap from draining you.

Protect the signers

The people who can move funds are the target. We put the Communication Firewall around your signers across email, Telegram, Slack, and calls, catching the fake recruiter or spoofed teammate weeks before they get an approval.

Respond and trace

Once attackers reach a signer, you have minutes. We contain the exposure, trace the funds on-chain, and push exchanges and partners to freeze what's still reachable.

Certify your signing posture

We score how your treasury signs against a fixed bar, so partners and investors get a clear answer on the controls behind your funds.

Close every gap before it becomes an incident.

Get Protected