The crypto industry is hemorrhaging funds at an unprecedented rate, with over $2.47 billion stolen in the first half of 2025 alone, a massive 65% increase from the previous year.
Behind these alarming statistics lies an even more troubling reality: once crypto assets are stolen, they’re almost never recovered.
The Bybit hack perfectly illustrates this claim, the most significant single incident to date, resulting in over $1.4B in losses, with more than 87% of the funds now permanently inaccessible.
Traditional recovery methods have proven woefully inadequate in the face of blockchain’s unique challenges.
Recent data from Chainalysis reveals that in H1 2025, just 4.2% of stolen crypto assets were recovered after loss.
When hackers can drain protocols in seconds and assets vanish across multiple blockchains within minutes, the conventional approach of “negotiate after the fact” becomes not just ineffective, but almost absurd.
The Speed Problem That’s Breaking Crypto Security
The mathematics of modern crypto exploits are brutal. Private key compromises, which accounted for 43.8% of all stolen crypto in 2024, can drain entire treasuries in a single transaction.
Notably, the $1.4 billion Bybit hack shows how attackers can move from initial breach to complete asset extraction faster than any human response team can coordinate a defense.
This speed asymmetry has created what security experts call the “intervention window problem.”
While traditional financial systems have built-in delays and reversal mechanisms that provide time for human intervention, cryptocurrency’s design philosophy of fast, final settlement works against recovery efforts.
North Korean hackers, who stole $1.34 billion in 2024 alone, have mastered this timing advantage, typically laundering funds through complex cross-chain routes within minutes of initial theft.
Circuit, a pioneering automated recovery platform, believes the solution isn’t faster humans but rather eliminating humans from the recovery equation entirely.
The company has developed technology that pre-programs recovery actions before any attack occurs, compressing intervention timelines from days to seconds through what they call “pre-signed fallback transactions.“
We spoke with Harry Donnelly, founder and CEO of Circuit, about how automated recovery systems could fundamentally change crypto security, why post-incident negotiations are becoming obsolete, and what happens when recovery becomes faster than the attacks themselves.
From Reactive Investigation to Pre-Programmed Response
Cryptonews: The CrediX case shows that even “successful” negotiations result in lost value and shaken trust. How does your automated recovery technology change the entire timeline of a potential exploit?
Harry Donnelly: “In crypto, stolen assets typically vanish within minutes, making post-incident negotiations almost futile. In H1 2025, just 4.2% of stolen assets were recovered after loss. Circuit changes this timeline by embedding automatically executable recovery into a platform’s infrastructure.
Before any breach, the user creates pre-signed fallback transactions with precise recovery instructions. If a verified threat is detected, this pre-authorized transaction is broadcast instantly, while the attacker is still in motion, moving funds to a secure, user-controlled vault.
This shift from reactive investigation to pre-programmed response compresses the intervention window from days or weeks to seconds, fundamentally changing the possibility of recovery during exploits.”
Traditional incident response teams measure their effectiveness in hours. How quickly can we detect, analyze, and coordinate a response? In crypto, that timeline is catastrophically slow.
By the time a human security team realizes an exploit is underway, processes the threat, and decides on action, attackers have typically completed multiple blockchain transactions and begun laundering funds across different networks.
Pre-signed transactions eliminate this bottleneck by encoding recovery logic into the system before any threat materializes, creating what amounts to “reflexive” security responses that operate at blockchain speed rather than human speed.
CN: You mention that once a company has started negotiating with a hacker, prevention has already failed. Can you walk me through how Circuit’s system would have handled the CrediX situation differently from the moment of initial attack?
Donnelly: “In the CrediX case, the delay between detection and action left the attacker in control. Circuit eliminates that gap. With Circuit, if the same threat indicators appeared, say a compromised key or abnormal contract activity, triggers would have executed the pre-signed recovery transaction automatically.
Funds would have been isolated in a secure recovery vault before any negotiation was even needed, denying the attacker leverage and preserving both capital and trust.”
As seen across multiple high-stakes incidents, the psychological dynamics of crypto negotiations heavily favor attackers because they hold all the cards.
Once funds are in attacker-controlled wallets, protocols must choose between potentially losing everything or paying substantial “bug bounties” that often reach millions.
These negotiations can drag on for days or weeks, during which time user confidence erodes and market value plummets, regardless of the eventual outcome.
CrediX DeFi protocol exploited for $4.5M as hacker gains admin rights to mint unbacked tokens amid July crypto losses hitting $142M across seventeen incidents.#CrediX #CryptoHackhttps://t.co/VsXYakQiPZ — Cryptonews.com (@cryptonews) August 4, 2025
Technical Architecture of Instant Recovery
CN: Your technology moves assets to safety without relying on private keys or human intervention. How does this work technically, and what are the fail-safes if the automated system itself is compromised?
Donnelly: “Circuit operates with user-generated, pre-signed recovery transactions. They remain inactive, but constantly monitor for specific, predefined threat conditions. Because the transactions are pre-authorized, Circuit never holds private keys or control of assets and because they are already cryptographically signed, they cannot be tampered with.
In the unlikely case that the automated process were to be compromised, the same pre-signed transactions can be initiated manually by the rightful owner, ensuring asset safety regardless of system status.”
CN: What does “the moment a threat is detected” actually mean in practice? How granular is your threat detection, and how do you avoid false positives that could freeze legitimate transactions?
Donnelly: “The system monitors various trigger points continuously, but stays inactive unless triggered by a future key loss or compromise. If that happens, Circuit can broadcast the pre-signed transaction instantly, without needing to reauthorize it.
The pre-approved response executes automatically to recover the assets without needing keys.
Our programmable, tailored approach minimizes false positives and ensures recovery actions are executed only under verifiable threat conditions, preserving legitimate transactions and avoiding unnecessary disruptions.”
The challenge of false positives is one of the most complex aspects of automated security systems.
In traditional cybersecurity, false positives might trigger unnecessary alerts or temporarily block access. In crypto, a false positive could mean automatically moving millions of dollars based on an incorrect threat assessment.
Industry Resistance and Cultural Barriers
CN: With crypto exploits already surpassing $2.5 billion this year, what’s the resistance you’re seeing from protocols to adopt automated recovery systems? Is it technical, cultural, or economic?
Donnelly: “Historically, recovery-first infrastructure was unavailable, making prevention measures the only option in the crypto industry. Now that a reliable recovery solution exists via Circuit, the main barrier is just integration, as the industry culture has long focused on traditional key-based security philosophies.
Nonetheless, the demand for recovery-first approaches, the highest standard of digital asset security, is becoming a clear priority across custody, lending, exchange, and stablecoin platforms.”
The cultural resistance runs deeper than mere technological conservatism. Crypto’s foundational ideology emphasizes immutability and irreversibility as features, not bugs.
Many purists argue that building recovery mechanisms into blockchain systems violates these principles and creates new attack vectors.
However, the staggering loss statistics suggest that ideological purity may be a luxury the industry can no longer afford.
Economic considerations also play a significant role. Implementing automated recovery systems requires upfront investment and ongoing maintenance, costs that many protocols prefer to avoid until after they’ve experienced a major exploit.
This reactive approach to security investment has proven costly. The average loss per incident jumped from $3.1 million in H1 2024 to $7.18 million in H1 2025, far exceeding the cost of implementing comprehensive recovery systems.
Inside Threats and Exit Scams
CN: The apparent disappearance of the CrediX team suggests that some ‘hacks’ might actually be exit scams. How does your technology differentiate between external attacks and insider threats?
Donnelly: “Circuit enforces recovery actions based on pre-defined threat conditions, not intent. Whether an exploit originates externally or internally, recovery triggers such as unauthorized withdrawals or abnormal contract calls will initiate the asset extraction process. This neutral, rules-based model ensures that funds are protected even if the threat comes from inside.”
The distinction between hacks and exit scams has become increasingly blurred in crypto, with some estimates suggesting that up to 30% of reported “exploits” may actually be insider jobs.
This creates a unique challenge for recovery systems, which must protect against threats regardless of their origin.
Traditional security models often include insider threat programs that rely on behavioral analysis and access controls, but crypto’s pseudonymous nature makes such approaches less effective.
CrediX Finance team vanishes after $4.5M hack as exit scam suspected following broken fund recovery promises and deleted social media accounts.#Hack #Crypto #Scamhttps://t.co/e3qJkq042Q — Cryptonews.com (@cryptonews) August 8, 2025
Reshaping the Security Paradigm
CN: You call negotiation-based recovery ‘an outdated safety net.’ What does the security stack look like when automated recovery becomes standard? How does it change the attacker’s calculus?
Donnelly: “When automated recovery becomes standard, security shifts from reacting after a breach to acting the moment a threat appears. Assets are moved to safety within seconds, closing the window of time that the attackers typically rely on. Instead of operating with the confidence that they can drain and launder funds before anyone responds, they face a high-risk, low-reward gamble.
The certainty that once made exploits attractive is replaced by the likelihood of failure. Negotiation-based recovery becomes a rare last resort rather than an a frequent event as we see in today’s landscape.”
Notably, the psychological impact on attackers should not be underestimated. Much of crypto’s appeal to cybercriminals stems from the perceived irreversibility of successful attacks.
Philosophical and Regulatory Implications
CN: How does key-independent recovery impact the fundamental crypto principle of ‘not your keys, not your coins’? Are we trading decentralization for security?
Donnelly: “Key-independent recovery preserves decentralization because the recovery path is created and authorized by the user in advance, without handing keys to a third party.
Users maintain full ownership and control while gaining a failsafe against lost or compromised keys, strengthening, rather than weakening, the “not your keys, not your coins” principle.”
The original “not your keys, not your coins” maxim emerged when the primary threat was trusted third parties absconding with user funds.
Today’s threat is far more complex, with sophisticated state actors, supply chain attacks, and social engineering campaigns that can compromise even the most security-conscious users.
CN: You mentioned regulatory readiness. How do automated recovery systems align with or complicate existing financial regulations, especially around custody and control?
Donnelly: “Regulators want to see both user custody and effective safeguards. In particular, they are focused on removing operational risk associated with key loss or key compromise.
Circuit’s Automated recovery model meets that standard, as assets remain under user control, and recovery actions are transparent, pre-approved, and verifiable.”
Complementary Security Ecosystems
CN: How does Circuit’s approach complement or compete with bug bounty platforms like Immunefi? Are you solving different parts of the same problem?
Donnelly: “Bug bounty platforms like Immunefi focus on prevention, rewarding researchers who find and fix vulnerabilities before they’re exploited.
Circuit complements this with automated recovery that activates instantly during an attack, protecting assets in real time. Prevention reduces the risk of incidents; automated recovery limits the impact if they do occur, creating a layered, resilient defense.”
Early in crypto’s development, security efforts focused almost exclusively on prevention through better audits, more rigorous testing, and comprehensive bug bounty programs.
While these remain crucial, the persistent occurrence of successful exploits has shown that prevention alone is insufficient.
CN: Looking ahead, what attack vectors are you most concerned about that current security measures, including your own, might not adequately address?
Donnelly: “The threat landscape in crypto is always changing. Attackers keep coming up with new ways to exploit systems, often combining old methods in ways we haven’t seen before.
The real challenge isn’t dealing with yesterday’s attacks, it’s trying to prepare for tomorrow’s in advance. Our focus is on staying ahead, thinking about where the next vulnerabilities might be, and putting defenses in place before they’re needed.”
Conclusively, while automated recovery systems can protect against known attack patterns, the crypto space’s rapid innovation creates new attack surfaces faster than defensive measures can be developed and deployed.
The most concerning threats may be those that exploit interactions between different protocols, leverage novel blockchain features, or combine technical attacks with social engineering in new ways.
The key to long-term security may lie not in predicting specific future attacks, but in building systems robust enough to handle unknown threats.
About Donnelly
Harry Donnelly is the CEO and Co-Founder of Circuit, the company making digital assets recoverable. He is a recognized expert in institutional digital asset custody, security architecture, risk mitigation, and crypto insurance. Harry founded Circuit to address a foundational vulnerability in web3 systems: the fragility of private key-based recovery.
Under his leadership, Circuit introduced Automatic Asset Extraction, a transaction-layer recovery technology that ensures institutional access to digital assets is preserved, even in cases of cyberattack, custodian failure, or internal compromise.
The post “4.2% Recovery Rate Proves Negotiation Is Dead” — Circuit CEO on Instant Crypto Asset Recovery | Interview appeared first on Cryptonews.
https://cryptonews.com/exclusives/4-2-recovery-rate-proves-negotiation-is-dead-circuit-ceo-on-instant-crypto-asset-recovery-interview/
