TL;DR:
- Crypto exploit losses fell to $68.3 million in May, down nearly 90% from April’s $650 million spike, making it the third 2026 month below $100 million.
- Bridges remained the main target, with $28.6 million stolen, while code vulnerabilities caused about $45 million in monthly losses.
- Verus Protocol and THORChain led May’s incidents, as private key compromises and AI-assisted malware kept security concerns active across crypto infrastructure and developer workflows globally.
Crypto exploit losses cooled sharply in May, giving the market a rare security headline that looked better on the surface than the month before. Losses from crypto platform exploits fell to $68.3 million, down nearly 90% from April’s $650 million spike, according to CertiK figures. The relief is real, but oddly incomplete, because May still produced fresh bridge attacks, private key failures and code-level losses. CertiK said it was the third month of 2026 with losses below $100 million.
Combining all the incidents in May we’ve confirmed ~$68.3M lost to exploits with
~$2.6M of the total attributed to phishing.After a particularly bad April, May is now the third month of 2026 to record losses under 100M$.
More details below 👇 pic.twitter.com/GSWTLKXWDH
— CertiK Alert (@CertiKAlert) May 31, 2026
Bridges remain the weak point
The monthly breakdown shows why the lower total should not be mistaken for a clean security reset. About $2.6 million of May’s stolen crypto came from phishing attacks, while roughly $9.4 million was recovered or returned. April’s damage was extraordinary, with the largest loss coming from a $291 million Kelp DAO exploit, and, excluding the $1.5 billion Bybit hack in February 2025, April marked the highest monthly losses since March 2022. May looks calmer only because April was so severe, not because exploit pressure disappeared.
The largest May incident was the May 18 exploit of Verus Protocol’s cross-chain bridge, where $11.5 million was stolen. THORChain followed with $10.1 million taken in a mid-May exploit. Code vulnerabilities accounted for the biggest value of losses during the month, representing about 66% of the total, or around $45 million. Wallet and private key compromises ranked second, with $13.7 million stolen. The pattern keeps pointing back to infrastructure fragility, especially as cross-chain bridges were the most targeted category at $28.6 million, or 42% of total monthly losses.
Incident counts reinforce the uneasy picture. DeFiLlama data showed 29 incidents in May, seven involving compromised private keys. The final two reported cases, Alephium Bridge and Gravity Bridge on May 30, lost $815,000 and $5.4 million, respectively, because of private key compromises. The market got a quieter month, not a safer one, while AI-assisted malware was also rising as attackers targeted crypto and AI developers through compromised code repositories and manipulated coding assistants.
The uncomfortable takeaway is that fewer headline losses can still conceal broad operational weakness across bridges, wallets and developer tooling, leaving May’s apparent improvement dependent on context rather than confidence as new attack surfaces keep widening in practice.
