Losses incurred from exploits on cryptocurrency platforms fell sharply to $68.3 million in May, marking an approximate 90% decline compared to the $650 million lost in April. According to data published by blockchain security firm CertiK, May represents the third month in 2026 where aggregate monthly security losses remained below the $100 million threshold.
Of the total capital lost during the month, phishing attacks accounted for roughly $2.6 million, while approximately $9.4 million of stolen digital assets were successfully recovered or returned. The sharp retreat follows an exceptionally severe April, which had recorded the highest monthly exploit losses since March 2022 (excluding the $1.5 billion Bybit hack in February 2025), driven largely by a $291 million exploit of Kelp DAO.
Code Vulnerabilities and Cross-Chain Bridges Remain Top Threats
Technical analysis of May’s security breaches indicates that code vulnerabilities were the most destructive attack vector, causing roughly $45 million in losses, or 66% of the monthly total. Compromised wallets or private keys represented the second most expensive category, accounting for $13.7 million in stolen funds.
In terms of infrastructure targets, cross-chain bridges bore the brunt of malicious activity, suffering $28.6 million in losses, representing 42% of the month’s total, followed closely by decentralized finance (DeFi) protocols.
Key Protocol Exploits and Private Key Compromises
The single largest security breach in May occurred on May 18, targeting Verus Protocol’s cross-chain bridge and resulting in a theft of $11.5 million. A mid-month exploit on THORChain ranked as the second largest incident, with $10.1 million drained from the protocol.
Data compiled by DeFiLlama identified a total of 29 security incidents across the industry during May, seven of which were attributed directly to compromised private keys. This vector was highlighted in two late-month incidents on May 30:
- Gravity Bridge exploited for $5.4 million due to a private key compromise.
- Alephium Bridge incurred an $815,000 loss stemming from the same attack vector.
Additionally, security researchers noted a growing operational threat from artificial intelligence-assisted malware. Throughout May, malicious actors increasingly targeted both Web3 and AI developers by compromising code repositories and tricking automated AI coding assistants to insert security gaps.
