Crypto exploit losses fell sharply in May, dropping to about $68.3 million from roughly $650 million in April, CertiK data show. The decline reduced headline risk across the sector, marking the third consecutive month in 2026 with losses below $100 million.
The improvement, however, does not mean the threat environment cooled. CertiK recorded about 60 confirmed incidents during the month, showing that attack frequency remained elevated even as the financial damage became less concentrated.
Combining all the incidents in May we’ve confirmed ~$68.3M lost to exploits with
~$2.6M of the total attributed to phishing.After a particularly bad April, May is now the third month of 2026 to record losses under 100M$.
More details below 👇 pic.twitter.com/GSWTLKXWDH
— CertiK Alert (@CertiKAlert) May 31, 2026
Code Bugs and Bridges Drove May’s Losses
The month’s losses were concentrated in a handful of familiar categories. Code vulnerabilities accounted for roughly $45 million, or about 66% of the total, making software flaws the largest source of damage in May.
Cross-chain infrastructure remained one of the most exposed parts of the market. Bridge-related exploits represented about $28.6 million in losses, equal to roughly 42% of the month’s total, reflecting the risks created by large liquidity pools and multi-component settlement systems.
Wallet and private-key compromises added about $13.7 million, while phishing and social-engineering attacks caused close to $2.6 million in losses. That mix shows why security cannot stop at smart-contract audits, since signing flows, custody practices and user-facing attack vectors remain material weaknesses.
Several notable incidents came from cross-chain vectors. Verus Protocol lost about $11.5 million and THORChain about $10.1 million, while smaller events included Alephium at roughly $0.8 million and Gravity Bridge at about $5.4 million.
Developer Workflows Become the Next Security Front
Beyond traditional contract bugs and key compromises, CertiK flagged a growing role for more sophisticated tooling, including AI-assisted malware aimed at code repositories and development pipelines. That trend shifts part of the defensive burden toward software supply-chain security.
Recovery efforts produced limited relief. Roughly $9.38 million was recovered in May, while teams including protocol guardians and custodians responded to active incidents. The numbers show better emergency coordination, but not enough recovery to offset most losses.
CertiK’s year-to-date tally approached $1.3 billion by the end of May, compared with more than $3.4 billion stolen in 2025. The lower monthly loss figure is encouraging, but the cumulative damage remains substantial.
The technical lesson is direct: reduce exploitable state, limit privileged access and shrink the blast radius in cross-chain designs. Bridges and high-value contracts need tighter key management, routine instrumented audits and stronger validation around oracle and signature flows.
Lower aggregate losses could eventually reduce risk premiums, but persistent incident counts and more advanced attack tooling mean exchanges, protocols and underwriters are likely to keep conservative monitoring and capital buffers in place.
