Crypto exploit losses plunge 90% in May to $68M as bridges and keys stay key risks

Crypto exploit losses in May fell about 90% month over month to $68.3M, down from roughly $650M in April, per CertiK. May marked the third time in 2026 that total crypto exploit losses stayed under $100M. Phishing remained a material issue: about $2.6M of stolen funds were linked to phishing, while roughly $9.4M was recovered or returned. Excluding the outlier Bybit hack in Feb 2025 ($1.5B), April was still the worst month since Mar 2022, including a $291M Kelp DAO exploit. CertiK highlighted the biggest May incidents by size: a May 18 Verus Protocol cross-chain bridge exploit stole $11.5M, and THORChain followed with about $10.1M stolen in a mid-May attack. By loss driver, code vulnerabilities caused about $45M (~66%) of crypto exploit losses, while wallet/private-key compromises totaled $13.7M. Cross-chain bridges were the main target type, taking $28.6M (~42%) of losses. CertiK also logged 29 incidents in May, with seven involving compromised private keys. The two latest were Alephium Bridge and Gravity Bridge, exploited due to private key compromise for $815K and $5.4M respectively. For traders, the headline drop improves risk sentiment, but crypto exploit losses are still concentrated in cross-chain infrastructure and key management—areas that can quickly reprice risk premia and short-term volatility.