The attackers do not have the secret key. There is a bug on the plugin which attackers use for access your login page. This issue has been discussed several times, hope it will be fixed on the next released of this plugin.
There are some useful threads you may need to follow:
http://wordpress.org/support/topic/how-to-ban-admin-logins
http://wordpress.org/support/topic/after-enabling-hide-backend-still-i-am-getting-bad-login-attempt-how