In my opinion, both custodial and non-custodial accounts lose about 5% each year due criminal attacks or mishandling. The problem is always people messing it up, but the reasoning and the mechanisms are different.
With custodial accounts, everyone is completely relying on the banks, which is just a group of people. The advantage of central banking is that if something happens, they can usually just take your money back for you. Identity theft, fraud, and different kinds of hacking are common, so you just hope that the bank is competent enough to ward off threats and not lose all the money like Sam Bankman-Fried at FTX.
At least with crypto hardware wallets, if you do it correctly, it is mathematically certain that the account security is unhackable. There’s still a variety of things you can do to compromise the wallet or recovery phrase, just like being your own personal bank, but at least you are not entirely dependent on a group of bankers. The infrastructure to be your own bank is an incredibly powerful technology. The common issue I see preventing people from using hardware wallets is that it’s just annoying to have another device, which is why I assume Bo Shen and most people don’t use one.
Bo Shen, an exec from early crypto investment firm Fenbushi(founded in Shainghai but says he lives in Atlanta) was hacked for $42M from a Binance owned software wallet called TrustWallet. SlowMist cybersecurity firm says the hacker obtained Shen’s recovery phrase, so the hacker must have stolen it off his device, maybe directly from the software wallet. This is only possible if the data is stored locally on an internet connected device. The advantage of a hardware wallet, like Ledger Nano X, is that this information is kept off of your internet-connected phone or computer so it cannot be accessed online.
Shen was holding $38M of the total in USDC, which are centralized stable-coin assets. Those stablecoins (USDT Tether or USDC) are just US dollars on the blockchain that banks can destroy or print at any moment. Bo Shen probably had some confidence that USDC’s supporting corporation Circle(Series D investment by Fenbushi) would be able to help him if they were stolen, but the hacker immediately sold everything for decentralized assets, namely DAI. This hack was 2 weeks ago and Shen just posted publicly yesterday Nov. 22, so it’s likely he didn’t notice for a while. This is apparently the second time Bo Shen has been hacked from a crypto wallet. The first time, Shen was a victim of a social engineering attack on his email and phone, very comparable to the recent hack. He lost at least $300k in Augur and Ethereum on that first hack.
Obviously the moral of this story is to use hardware wallets, but the efficacy of custodial accounts and non-custodial wallets is still up for debate. To hedge these systemic risks, you should probably use both.
Bo Shen’s empty wallet
https://etherscan.io/address/0x6be85603322df6dc66163ef5f82a9c6ffbc5e894#tokentxns
Hackers account associated with the hack/phishing
https://etherscan.io/address/0x24b93eed37e6ffe948a9bdf365d750b52adcbc2e#tokentxns
Hackers trading account
https://etherscan.io/address/0x775c559d9a48ce5a8444c1035c3a8921ab477b8e#tokentxns
Hackers vault account with $38M DAI
https://etherscan.io/address/0x66f62574ab04989737228d18c3624f7fc1edae14