Sharp decline from April’s $650 million marks third straight month under $100 million
Cryptocurrency exploit losses fell to $68 million in May 2026, down sharply from $650 million in April, according to data released by blockchain security firm CertiK on May 31. Code vulnerabilities accounted for $45 million, or 66% of total losses, while cross-chain bridge exploits contributed $28.6 million, or 42% of the monthly total.
The May decline marks the third consecutive month in 2026 in which losses stayed below $100 million. April had been the worst month since March 2022, excluding the $1.5 billion Bybit hack in February 2025. That month included the $291 million Kelp DAO exploit.
Cross-chain bridges emerged as the most exploited category by both incident count and dollar value. Verus Protocol’s cross-chain bridge was hit on May 18, losing $11.5 million. On May 30, two additional bridge protocols suffered exploits: Alephium Bridge lost $815,000, while Gravity Bridge lost $5.4 million.
THORChain incurred $10 million in losses from an attack in mid-May. Across all of May, DeFiLlama counted 30 separate incidents. Wallet and private key compromises ranked second in dollar damage at $13.7 million, with seven incidents involving compromised private keys. Phishing attacks were comparatively minor, responsible for just $2.6 million in losses.
Security researchers identified AI-assisted malware as an emerging threat in May. These attacks targeted code repositories and attempted to trick AI-powered coding assistants, marking a shift in attack methodology against crypto and AI developers. CertiK did not detail the success rate or specific protocols targeted by these AI-assisted campaigns.
Recovery efforts during May returned or recovered $9.4 million in stolen or compromised funds. The sharp month-over-month decline in losses reflects either improved protocol defenses, fewer high-value exploits, or both. CertiK did not explain the specific drivers of May’s lower loss total.
Bridge Risk Persists Despite Awareness
Cross-chain bridges have remained a focal point for attackers throughout 2026. The three May bridge exploits demonstrate that despite heightened industry awareness of bridge vulnerabilities, protocols continue to experience significant losses. The concentration of bridge exploits in a single day, May 30, suggests either coordinated reconnaissance or parallel discovery of similar attack vectors.
Code vulnerabilities, which drove two-thirds of May losses, remain the primary attack surface. The 66% share underscores the ongoing challenge of secure smart contract development and auditing. May’s data reinforces that even as the crypto industry matures, implementation flaws continue to exceed operational security failures like compromised keys or social engineering.
