For a long time, getting DeFi contracts to perform audits pre-launch was the biggest challenge in the DeFi security space. Often, projects were launched with a “test in prod’ mentality, taking advantage of the fact that one massive hack after enough has done little to dissuade users.

Over time, the mentality has shifted, and many DeFi projects boast audits from reputable firms. In fact, some projects deliberately perform audits with several different providers, hoping that several pairs of eyes looking over their code will maximize the likelihood that vulnerabilities will be found and fixed before they can be exploited in a multi-million dollar hack.

These audits are a critical part of a DeFi security strategy since they help to identify and address the vulnerabilities exploited in on-chain attacks. However, as DeFi hacks increasingly move off-chain, they’re not enough on their own.

In her blockchain security predictions for 2025, Mar Aguilar, Halborn’s Lead Security Architect, stated that most DeFi hacks that occur this year would involve private key security, not the exploitation of smart contract vulnerabilities. While we’re only a couple of months into the year, this forecast has already been proven to be right on target.

Private keys are the root of trust for blockchain accounts. Every transaction is digitally signed using one or more private keys before it is submitted to the blockchain and accepted by other blockchain nodes. As long as the digital signature algorithms used by blockchain remain secure, the only way to generate a valid digital signature is by using the correct private key.

With smart contracts closing the major security gaps that attackers can exploit on-chain, DeFi hackers have been turning their focus to off-chain techniques targeting these private keys. This is especially true of the Lazarus Group, which specializes in social engineering attacks designed to steal private keys or trick their targets into signing a malicious transaction.

This new focus on targeting private keys in off-chain attacks means that smart contract audits are not enough to ensure the security of DeFi projects. If an attacker can generate a valid transaction that transfers ownership of a smart contract to them or upgrades it to a malicious version, then the fact that the original contract was audited and free of exploitable vulnerabilities does little to protect it.

For examples of how DeFi hacks are changing, look no further than the recent hacks of Bybit, which lost approximately $1.4 billion in February 2025, and WazirX, which was hacked for about $235 million in July 2025. These two centralized exchanges (CEXs) were the victims of startlingly similar and sophisticated attacks.

Both of these incidents looked little like the typical CEX hack. The organizations had multi-sig wallets in place to protect critical accounts, and private keys were protected by cold storage. These multi-sig wallets were implemented by a trusted provider.

In both incidents, the signers approved a malicious transaction that permitted the hackers to carry out their attack. In the case of Bybit, this transferred ownership of a multi-sig wallet to the attacker. The WazirX hacker performed a smart contract upgrade to a malicious contract.

These attacks were made possible by an off-chain attack targeting the interface used to sign multi-sig transactions. The attackers modified the interface — likely by installing malware on the signers’ systems — to conceal the malicious content with the transactions. Once the signers approved and digitally signed the transactions, the damage was done.

Most major DeFi projects now perform smart contract audits, which is why DeFi hackers have switched their focus to off-chain attacks. If attackers steal private keys or trick signers into approving malicious transactions, then even the best on-chain defenses may not be enough to protect customer assets.

Bybit and WazirX are notable for the fact that they were hacked despite implementing many security best practices, including:

• Multi-Sig Wallets: Using multiple private keys requires an attacker to steal several keys or trick multiple parties into signing a malicious transaction.

• Cold Storage: Storing private keys for major accounts in a hardware wallet protects them against theft by malware and similar means.

• Transaction Review and Approval: Transaction signers verified the transaction destination and data in a reputable user interface before authorizing it.

However, the recent hacks of these CEXs demonstrate that this is not enough. Threat actors like the Lazarus Group have performed highly targeted attacks using malware to compromise the signing interfaces used to validate and approve transactions. As a result, threat actors can trick employees into signing malicious transactions that masquerade as legitimate ones.

These types of threats won’t be caught by a smart contract audit because they use off-chain attack vectors rather than exploiting smart contract vulnerabilities. To combat this type of risk, Halborn offers advisory services to projects at every stage of the development process from initial planning through long-term maintenance. With support from Halborn advisors, teams can ensure that every part of their environment is implementing security best practices, such as key rotation, anti-malware, transaction validation, and more.

Hacks like those targeting Bybit and WazirX demonstrate that DeFi hackers will go the extra mile to compromise high-value targets. Stay tuned for another blog on how Halborn's Seraph tool offers protection against these types of threats. For help in protecting your project against these advanced threats, reach out to Halborn.