Halborn, Crypto Audits, and Why Code Still Gets Hacked
Halborn built a business auditing and dissecting crypto hacks, from a landmark 280-chain disclosure to a $90 million raise. So why did 2025 still set a record for stolen funds?
Every major crypto exploit produces two documents: the on-chain transaction that drains the money, and the post-mortem that explains how it happened. For a growing share of those post-mortems, the byline belongs to a security firm rather than the protocol that lost the funds. Halborn, a Miami-based blockchain security company, has spent the better part of a decade turning that second document into a business. Its story is a useful lens on a harder question: if auditing crypto code is now a well-funded industry, why does the money keep leaking out?
Who Halborn Is, and What It Actually Does
Halborn was founded in 2019 by Steven Walbroehl and Rob Behnke, who bootstrapped the firm for years before taking any outside capital. The pitch was straightforward: apply the discipline of traditional offensive security, the red-team penetration testing that banks and defense contractors pay for, to smart contracts and the infrastructure around them.
The work now spans four broad lanes: manual smart contract audits, advanced penetration testing of decentralized apps and wallets, infrastructure and DevOps security reviews, and a “CISO-as-a-service” offering for teams too small to hire a full-time security chief. According to the firm’s own public audit archive, its engineers cover EVM chains such as Ethereum, Polygon and Avalanche, plus Solana, Cosmos, the Move-based networks Sui and Aptos, and Algorand. A single engagement can mean line-by-line code review, a simulated real-world attack, and a check of the backend servers that a contract quietly depends on.
The $90 Million Bet on Blockchain Security
For its first three years, Halborn ran on revenue alone. That changed in July 2022, when the firm closed a $90 million Series A led by the growth investor Summit Partners, with Castle Island, Digital Currency Group, Brevan Howard and Third Prime among the backers. It was, as Summit Partners noted at the time, the first external funding in the company’s history.
The round landed in the depths of a bear market, months after the Terra collapse and just before FTX imploded, which made a nine-figure check for a security shop notable on its own. Halborn did not disclose a valuation. Coverage from The Block framed the raise around a plan to expand the offensive-security team and build out Halborn Labs, an internal division meant to ship software products rather than bill hours. The underlying bet was that security spending is one of the few crypto line items that grows when prices fall, because that is exactly when exploits spike.
Rab13s: The Bug Hunt That Put Halborn on the Map
Halborn’s most cited piece of research began as a routine job. In March 2022 the firm was contracted to review the Dogecoin codebase. Its researchers, led by senior offensive security engineer Hossam Mohamed, found several critical bugs, then realized the same flaws lived in the shared lineage of hundreds of other chains. Halborn grouped them under the name “Rab13s” and, in a public disclosure in March 2023, warned that more than 280 networks were affected, with over $25 billion in assets theoretically at risk.
The most serious flaw let an attacker send crafted consensus messages that would crash a node; do that to enough nodes and a chain becomes vulnerable to a 51% attack. As Cointelegraph reported, a second class of bug could crash nodes through remote procedure call (RPC) requests, and a third opened a path to remote code execution, though both needed valid credentials and were rated lower risk. Dogecoin, Litecoin and Zcash shipped patches before disclosure; many smaller forks did not.
| Vulnerability class | Effect | Precondition | Severity |
|---|---|---|---|
| Crafted consensus message | Node crash, path to a 51% attack | Network access | Critical |
| Malicious RPC request | Node crash, denial of service | Valid RPC credentials | High |
| RPC code path abuse | Potential remote code execution | Valid RPC credentials | High |
From One-Off Audits to Full Incident Response
An audit is a snapshot. The more durable relationship, and often the more lucrative one, is what happens after a protocol ships. Halborn has leaned hard into incident response and forensic analysis, the work of tracing how an attacker got in once the money is already gone. Its engineers publish monthly summaries of DeFi exploits and detailed breakdowns of individual hacks, a genre that doubles as marketing and as a public record.
When the Sui-based exchange Cetus lost roughly $223 million in May 2025, Halborn published an explainer tracing the root cause to a botched overflow check in the protocol’s fixed-point math, a single missing guard that let an attacker mint enormous liquidity credit for a tiny deposit. This is the reputational core of the modern security firm: the post-mortem is where a company shows it understands the failure better than the team that suffered it.
A Record Year for Theft, and What It Cost
Demand for firms like Halborn is a direct function of how much gets stolen, and 2025 set records. Chainalysis counted more than $3.4 billion in crypto stolen through early December, edging past 2024. A single event, the February 2025 breach of the exchange Bybit, accounted for roughly 44% of the annual total on its own; Bloomberg reported the $1.5 billion loss, attributed to North Korea’s Lazarus Group, as the largest crypto heist on record.
State-backed theft defined the year. Chainalysis tied at least $2.02 billion, roughly 59% of the total, to operators linked to North Korea, and TRM Labs reached a similar conclusion in its own tally. Cetus, for its part, later relaunched after Sui validators froze roughly $162 million before it could be bridged off the chain, The Block reported. The table below lists several of the largest 2025 incidents and how each one happened.
| Target | Date | Loss (USD) | Attack vector |
|---|---|---|---|
| Bybit | Feb 2025 | $1.5B | Compromised Safe wallet interface, injected JavaScript |
| Cetus Protocol | May 2025 | $223M | Integer overflow in liquidity math |
| Balancer V2 | Nov 2025 | $121M | Rounding and precision exploit |
| GMX V1 | Jul 2025 | $40M | Reentrancy |
Why Audited Code Still Gets Drained
Here is the uncomfortable part for the entire audit industry, Halborn included: several of 2025’s biggest losses hit code that had been reviewed, sometimes more than once. An audit certifies that a specific version of a contract, examined for a fixed number of weeks, did not contain the bugs the reviewers were looking for. It does not certify that the code is safe forever.
- Audits are a snapshot. Protocols change constantly through governance votes, parameter tweaks and new integrations, so the reviewed version is often not the deployed one for long.
- Economic and design flaws slip through. Reviewers have gotten good at catching reentrancy and overflow bugs, and are still weaker at catching flawed incentive math and oracle assumptions.
- Time is short. Teams routinely hand auditors tens of thousands of lines to cover in two to four weeks against a hard launch date.
- Novel vectors are invisible. Auditors check for known attack classes; a genuine zero-day, by definition, is not on the list.
The Cetus overflow is a textbook case. A single missing bounds check in a math library, the kind of one-line defect that is easy to overlook and catastrophic to ship, cost more than $200 million in under 15 minutes. No auditor catches every such line, every time, which is why serious teams treat a clean report as a floor rather than a finish line.
A Pivot Toward Banks and Tokenized Assets
In September 2024, Halborn named Jacques Boschung as chief executive, with co-founder Rob Behnke moving to executive chairman and president. Boschung arrived from Kudelski Security and Dell, a resume aimed squarely at enterprise and banking clients rather than DeFi startups.
The signal is clear enough. As traditional banks and asset managers move toward tokenized funds and on-chain settlement, the buyers of blockchain security are shifting from anonymous protocol teams to regulated institutions with compliance departments and board-level risk committees. Boschung has publicly flagged the longer-term threat that quantum computing poses to today’s cryptography, and Halborn has pushed a “secure by design” message aimed at institutions that cannot survive a public exploit. Whether a firm built on offensive DeFi research can also sell to banks is the open question behind the leadership change.
Where US Regulators Fit, and Where They Don’t
Here is a fact that surprises people new to crypto: no US regulator requires a smart contract audit, and none accredits the firms that perform them. In traditional finance, public-company auditors answer to the Public Company Accounting Oversight Board and operate under standards enforced by the Securities and Exchange Commission. There is no equivalent for Solidity. A Halborn report carries weight because the market trusts Halborn, not because any agency stands behind it.
That gap persists even as the SEC’s posture toward crypto has softened under chair Paul Atkins, whose Project Crypto initiative and dedicated task force replaced the enforcement-first stance of the prior administration. Rulemaking so far has centered on how tokens are classified and traded, not on mandating a security-review standard for the code that custodies billions. For now, audit quality is policed by reputation and by the brutal feedback loop of public failure. A firm that signs off on a contract later drained pays in credibility, which is precisely why the post-mortem matters as much as the original audit.
The Takeaway: Necessary, Not Sufficient
Halborn’s arc, from two founders in 2019 to a $90 million raise, a landmark cross-chain disclosure, and a push into institutional finance, tracks the maturation of crypto security as a whole. The industry has genuinely improved: DeFi losses stayed suppressed in 2025 even as total value locked recovered, a sign that faster response and hardened code are working. Yet the aggregate stolen figure still climbed, driven by exchange-level breaches and state-backed crews who target the humans and the interfaces, not just the contracts.
The lesson embedded in Halborn’s own case studies is that an audit is necessary and nowhere near sufficient. Monitoring, incident response, key management and the unglamorous discipline of not shipping unreviewed code all matter as much as the report with a security firm’s logo on the cover. The money keeps leaking out not because auditing failed, but because a single review was never going to be enough on its own.
By Marcus Feld, HOGE Wire senior editor covering blockchain security and on-chain exploits.