Beyond Private Keys: Top Threats to DeFi Account Security

Private key security is foundational to blockchain account security. All transactions recorded on-chain are digitally signed, and validating this signature is a key element of the approval process. Since the algorithms are public, anyone with access to an account’s private key can generate valid signatures, making these keys a prime target for attackers.

However, it’s not always necessary for an attacker to gain direct access to the series of bits or hex characters that make up a private key. DeFi hackers can gain an equivalent level of control in a variety of different ways, and blockchain users and projects need solutions in place to address all of these threats.

Cybercriminals can perform account takeover (ATO) attacks in a variety of different ways in the Web3 space. Understanding top security risks and best practices for preventing them is essential to protecting against this security threat.

While compromised private keys aren’t the only way for an attacker to take over an on-chain account, they’re a common target. If keys are improperly stored and secured, an attacker can take full control over their accounts.

Managing these threats requires implementing account security best practices, such as the use of cold storage and multi-signature wallets. Cold storage moves keys off-device, reducing the risk that they’ll be accessed by an attacker or malware on an infected system, and multi-sig wallets require attackers to gain control over multiple private keys, decreasing their likelihood of success.

In addition to private keys themselves, cybercriminals may also target information that is equivalent to a private key. Mnemonic keys are simply English language equivalents of private keys, and seed phrases are used to generate private keys within a hardware wallet.

If these phrases are leaked, it’s just as bad as if the private key itself is exposed. For instance, one of the biggest social engineering attacks to date in the DeFi space involved an IT help desk scam targeting the seed phrase for a Trezor hardware wallet. By tricking the target into providing this phrase, the attacker stole an estimated $282 million from their on-chain accounts.

To protect against these types of attacks, it’s important to secure these pieces of information in the same way as the actual private key. Encrypted storage in password managers or secure hardware helps to protect these keys against potential compromise.

The ability to “be your own bank” is one of the core benefits of blockchain technology, removing reliance on third parties to manage and secure your money. However, many blockchain users don’t self-custody, instead choosing to have their private keys managed by a custody provider. This helps to lower the bar to entry into the Web3 space, since users don’t need to know how to properly secure their own keys and interact directly with the blockchain.

However, this approach also introduces security risks, trading the responsibility of securing private keys for that of properly protecting passwords. An attacker with access to a user’s custodial account has the same level of control as one with their private key. Additionally, reliance on a third party opens the door to phishing attacks, where the attacker masquerades as the trusted custodian. In 2025, Coinbase was the target of an extortion attack after insiders sold sensitive customer information to cybercriminals that could be used to develop targeted social engineering campaigns.

Using a third-party custodian transforms Web3 account security into Web2 account security — protecting passwords and MFA factors from potential attackers. Using a strong, unique password — ideally generated by and stored in a password manager — and a strong form of MFA protects against password-guessing attacks. Additionally, all communications allegedly coming from the custodian should be handled carefully, especially if they request sensitive information.

Cybercriminals don’t always look for and exploit software vulnerabilities, targeting the people behind the software instead. DeFi hackers operate the same way, with social engineering attacks being the root cause of some of the biggest DeFi hacks to date.

In these attacks, DeFi hackers try to trick transaction approvers into digitally signing malicious transactions. If successful, they don’t need access to the account’s private key since all they really need is a valid signature on their attack transaction.

Alternatively, social engineering could be used as a method of gaining access to improperly protected private keys. One example of this is the January 2026 hack of Step Finance, which involved attackers gaining access to executives’ devices via social engineering, allowing them to access signing keys.

Before signing any blockchain transaction, it’s vital to review the contents and functionality of the transaction to ensure that it does what it’s intended to do and nothing else. Additionally, tools like Halborn’s Seraph — which simulates transactions and alerts about risky actions — can help to protect against these types of malicious transactions.

Blockchain projects and users rely on complex infrastructure stacks. Beyond the blockchain software itself — and the networks that support it — users might have custody providers, frontend systems, Web2 backends, and other software as part of their infrastructure and workflows.

These additional components can introduce additional risk if targeted by an attacker. For example, Bybit, the most expensive DeFi hack in history, involved a supply chain attack designed to trick the project’s multi-sig approvers into digitally signing a malicious transaction. They did so by compromising the frontend signing system to make malicious transactions look benign.

Supply chain attacks can be insidious and difficult to protect against since compromised code can hide the signs of an attack. Halborn’s Seraph helps to protect against this by providing a sandboxed environment for transaction simulation and validation before signing.

Securing private keys is an important part of Web3 account security, but stolen keys aren’t the only way attackers can achieve their goals. DeFi hackers may target equivalent secrets (like custody passwords), use social engineering tactics, or compromise the infrastructure that users and projects rely upon.

In addition to following foundational account security best practices, DeFi projects also need security strategies and programs designed to manage the risk of sophisticated DeFi hackers. For help with designing security controls that protect your project, get in touch.