Victims of crypto hacks often find themselves victimized again by unscrupulous recovery firms, says Harry Donnelly, CEO of Circuit.
- Most crypto recovery efforts after a hack are futile, says Circuit CEO
- 95% of recovery firms could be predatory and offer no support
- Prevention is key, as $3B was already lost to hacks this year
Crypto adoption is rising, and an increasing number of people are joining. However, despite years of innovation, crypto is still failing some of its most vulnerable users. In a recent incident, a U.S. retiree lost $3 million in XRP after unknowingly compromising their cold wallet.
The incident shows that security is still the top issue in crypto. For this reason, crypto.news spoke to Harry Donnelly, CEO of the crypto security firm Circuit. He explained why the ecosystem lost over $3 billion to hacks this year alone, and why recovery is usually very difficult.
Crypto.news: We’ve seen a recent security incident where a wallet holder lost their life savings in a hack. What does this tell us about crypto asset security?
Harry Donnelly: This is the XRP wallet incident: an alleged U.S. retiree lost about $3 million in XRP, their retirement savings. ZacXBT posted about it on Twitter. The victim said they tried to file a police report but couldn’t reach law enforcement. The funds were then laundered across roughly 120 transactions.
We don’t have full confirmation of the exact vector because the victim isn’t crypto-savvy; without access to their laptop to trace the steps, it’s hard to be certain. But cases like this often involve malware that scans a device for seed phrases and other secrets.
In this case, the person thought they had a cold wallet — purchased from Ellipal — but they imported the seed phrase onto their laptop. That defeats cold storage: once the seed phrase exists on an internet-connected machine, the hardware wallet’s protection is effectively gone.
CN: ZacXBT said many recovery firms are questionable. What is your view?
HD: Totally fair. When people are desperate, bad actors will prey on them. The worst actors often SEO-optimize their pages so they appear first when someone frantically searches “recover stolen crypto.”
Legitimate recovery is hard. Crypto is a bearer asset: possession of the key equals ownership. You can’t call a bank and reverse an on-chain transfer. Legit recovery firms are typically legal shops that work with law enforcement, use blockchain forensics tools like Chainalysis or TRM Labs, track the funds, and try to get exchanges to freeze accounts with legal notices.
But that only works if funds hit a KYC exchange willing and able to cooperate and if the jurisdiction is cooperative. Attackers often route funds to non-cooperative exchanges or mixing services; last year, under 5% of assets were recovered with those methods.
Predatory firms will charge something like $10,00 large fees for basic scans and produce a report that gives victims false information. For example, they tell them to email Tornado Cash, which is useless.
CN: So it seems like recovery is a long shot. What’s the alternative?
HD: Because recovery probabilities are low, prevention is critical. Circuit focuses on preventing loss rather than relying on post-hack recovery. Once funds leave a wallet, chances of recovery are slim; stopping theft before it happens has a much higher success probability.
There are two loss modes: (1) you lose access to your private key (funds are inaccessible) or (2) someone else obtains your private key (funds are stolen). Circuit addresses both by protecting the assets directly rather than solely protecting the key.
We build what we call automatic asset extraction. Instead of only safeguarding a private key, we pre-create signed transactions that move funds to a predefined backup wallet. Those transactions are created ahead of time, encrypted, and stored — never broadcast unless the legitimate user triggers them.
CN: So, who controls that big red button?
HD: The user controls it. They go into our web app, verify their identity using 2FA, and press the button. That decrypts and broadcasts the transaction, and the funds move to the backup wallet.
We store the pre-signed transaction, encrypted, but the user is the only one who can decrypt and trigger it. They define the destination address in advance, and we cannot change that address. Once it’s signed, it’s locked. Our system simply holds it securely and allows the user to trigger it when needed.
CN: Who uses this service at the moment?
HD: Right now, it’s all institutions and enterprises. We don’t serve retail users yet. Our partners are exchanges, asset managers, OTC desks. These are people managing large sums and client assets. For them, downtime or loss of access can be catastrophic.
One example is Shift Markets. We’re deploying our technology across 150 exchanges that they work with. These exchanges can’t afford to lose access to funds, even for a few hours.
For institutions, it’s not just about preventing theft. Sometimes someone misplaces a signing device, or a service like Fireblocks goes down. That can halt all operations — no deposits, no withdrawals.
With Circuit, they can recover within minutes instead of being down for days. And for them, that can mean saving their reputation — and millions in customer retention.
CN: And how do users choose their backup wallets? Should it be another hardware wallet, an exchange account, or a custodian?
HD: Great question. We recommend that the backup wallet be just as secure as the primary. So that means using different wallet providers, storing keys in different locations, and making sure the infrastructure isn’t co-located. You don’t want both sets of keys in the same vault or server.
Also, we enforce quorum approvals — 4-eyes or 6-eyes policies — to avoid any single point of failure. Most large institutions already operate this way. Some use different MPC or multisig setups for primary and backup wallets. Others use different secure facilities or even different jurisdictions. The idea is: if disaster hits one system, the other is unaffected.
We also work with major insurance companies, and they recognize this as a risk reducer. A lot of crypto insurance claims are for lost access or stolen funds. By adding Circuit’s technology, firms become a lower risk. So insurance providers offer discounts to clients who use us. That makes insurance more accessible and, in turn, brings more institutional capital into crypto.
CN: Have you actually had any cases where someone had to use the red button?
HD: Yes, we’ve used the red button, both in real cases and in controlled tests. We’ve even intentionally given access to attackers in white-hat or simulation environments to try and steal the funds. Every time, it’s held up. Our engineering team has worked hard to make sure we’ve covered edge cases and real-world threats.
We’re working with some of the biggest players in the space who’ve tested it independently. We’ll have a public announcement in the next month or two showcasing some of those validations.
CN: And for institutions, the typical failure scenario?
HD: It depends on their wallet setup. If they’re using non-custodial services like Fireblocks, the institution bears some responsibility — they must be able to access their wallets even if Fireblocks is down or unavailable.
If they’re using fully custodial solutions like Coinbase or Anchorage, those providers manage everything end-to-end. But with Fireblocks, you still need your own secure access to the key shards or signing devices.
So imagine an exchange relying on Fireblocks, and they lose a device — maybe someone’s phone or YubiKey. That can temporarily lock them out, halting withdrawals and deposits.
CN: You mentioned earlier that attackers are getting more sophisticated. What’s your perspective on how the crypto industry is adapting to that? What’s changing in security?
HD: It’s similar to Web2 cybersecurity; it’s a cat-and-mouse game. New attacks emerge, we build defenses, attackers evolve again, and so on. Early on, the big breakthrough was multisig, requiring multiple keys to approve transactions.
Then came MPC wallets (multi-party computation), which improve on multisig. In a multisig setup, compromising two out of three keys gives you partial info about the third. In MPC, that’s not the case as each shard gives you no info about the whole, making it more resilient.
Companies like Fireblocks have had a lot of success with MPC. Then on top of that came policy engines — rules that block transactions under certain conditions. For example: “block all transfers over $1 million,” or “don’t allow transfers to non-whitelisted addresses.”
Then came detection tools, which are services that monitor chain activity and flag suspicious behavior. But today, most of those still require a human to act on the alert. In some setups, you might need approvals from people in the U.S., Europe, and Asia, which could take hours. Meanwhile, attacks are happening in minutes or even seconds.
We saw this in the SwissBorg/Kiln hack: $41 million gone in three minutes. Humans simply don’t respond that fast.
CN: When centralized exchanges freeze stolen funds, people usually understand. But when DeFi protocols freeze wallets or pause smart contracts, there’s often criticism about centralization. What’s your view on that?
HD: Look, ultimately, I think if you can prevent tens or hundreds of millions of dollars being stolen, and what it takes is to shut down a smart contract for a few hours, then I think you should do that.
I know there are very big proponents of decentralization, but decentralization is not going to take hold if people don’t adopt it. And people are not going to adopt it if they’re going to lose all their funds. At the end of the day, I think it’s as simple as that.
If you truly believe in this and want it to be adopted by the mainstream — by actual enterprises, actual institutions — they’re going to have to have confidence in it. And for all the proponents who say “just let it be hacked,” or “code is law,” I think the issue is that it’s going to fundamentally stop the growth of the space as much as we’d like it to grow.
And I think there are two areas you’re going to see. You’ll have pools and protocols that are just going to keep doing things the way they are — just letting things run. And then you’re going to have more institutionally focused and enterprise-focused infrastructure, where they do have safeguards, where they do have failsafes, and where there is insurance built into the pools.
That’s already happening. And it’s in those pools that you’re going to see a lot more liquidity being deposited, because that’s where the real capital — the institutions — feel confident putting their funds. And when you think about what the biggest network effect in DeFi is, a lot of it comes down to liquidity.
So if you look at where a lot of liquidity is going to go, over time it should shift toward the places that have failsafes and checks in place — because it gives people more confidence.
CN: But someone might say, if a protocol has the ability to freeze wallets or pause smart contracts, don’t they also have the ability to drain the pool? What’s your take on that?
HD: Yeah, and I think that’s a fair point. If someone has the ability to pause it and put safeguards in place, does that also mean they can do anything they want with the funds?
I think the beauty of smart contracts — if you do them right — is that they’re immutable and transparent. You can define strict parameters ahead of time. You can hard-code the rules: when does this get paused, why does it get paused, and what happens to the funds after?
Do they get moved? If so, where? Can they only be moved to a specific location? After the pause, do they get returned? All of that can be encoded. It doesn’t have to be discretionary.
So yes, if you give people full control to do whatever they want, that’s not great. People won’t want to deposit funds into those protocols. But if there are tightly defined parameters over what’s possible — and part of that includes freezing or pausing in the case of an emergency — then that actually gives people more confidence.
Because even the biggest protocols — like Euler, which had a huge TVL — got hacked. And they’d gone through multiple audits, code reviews, the whole thing. But there was still a small vulnerability that someone was able to exploit.
We are getting better at detecting these things, but new issues will always pop up. And like you said, it’s a cat-and-mouse game. You build a defense, then someone finds a new attack. Then you build a new defense, and so on.
CN: Is there anything you’ve been thinking about lately that you think the industry is overlooking?
HD: One of the things we spend a lot of time on internally is trying to make crypto insurance actually accessible — because when you go back to what we’ve been talking about, right? There are always going to be new attacks, and then people will build new defenses. But something has to fill that gap in the meantime.
I think DeFi insurance — like what Nexus Mutual was trying to do — hasn’t really scaled the way people hoped. And a big part of that is because to offer meaningful insurance, you need enormous pools of capital behind it. That’s just how insurance works.
The traditional insurance world already has billions of dollars sitting in reserves. They know how to underwrite risk. If we can bring those players into the crypto space — and give them confidence in how risks are being mitigated — then we unlock something really big.
Because the truth is, if we want big banks or serious financial institutions to get involved in DeFi and on-chain finance, they’re going to need insurance. Full stop.
So if we can enable that — if we can give traditional insurers the tools and data they need to price risk and actually offer coverage — then suddenly, you’ve got a lot more capital that’s comfortable coming into the space.
And when that happens, everything grows. The protocols grow, the infrastructure matures, the users benefit. So yeah — I think unlocking real crypto insurance is one of the most important things we can do right now.
