After one of the most brutal months on record, the crypto security picture improves dramatically in May 2026.
Total losses from hacks and exploits fall to somewhere between $68 million and $81.7 million depending on the measuring firm, either way, a decline of roughly 87 to 90 percent compared to the approximately $647 to $650 million stolen in April. The numbers offer genuine relief. But buried inside them is a pattern that refuses to go away: cross-chain bridges are still getting hit harder than anything else, and the list of protocols losing tens of millions to exploits is long enough to keep the industry honest about how much work remains.
#PeckShieldAlert In May 2026, the crypto space saw 40 major hacks totaling $81.7M – an 87.4% MoM decrease from April ($647M).
Cross-chain protocols remained a primary target – with 8 significant #bridge & #crosschain exploits accounting for $33.28M (41%) of the month's total… pic.twitter.com/Q1vrqXZJt8
— PeckShieldAlert (@PeckShieldAlert) June 1, 2026
PeckShield counts 40 major hacks in May 2026 with total losses reaching $81.7 million, representing an 87.4% month-over-month decrease from April’s $647 million.
CertiK’s parallel accounting lands at $68.3 million, arriving at a similar conclusion through a slightly different methodology, either way, the directional story is the same. May is significantly safer than April was.
Combining all the incidents in May we’ve confirmed ~$68.3M lost to exploits with
~$2.6M of the total attributed to phishing.After a particularly bad April, May is now the third month of 2026 to record losses under 100M$.
More details below
pic.twitter.com/GSWTLKXWDH
— CertiK Alert (@CertiKAlert) May 31, 2026
That improvement is worth acknowledging. April 2026 was by several measures the worst month for crypto security in recent memory, with near-daily exploits and losses accumulating at a pace that shocked even veteran observers of the space. Coming off that baseline, an 87 to 90 percent decline is not a rounding error, it is a material shift, and CertiK reads it as a signal of improved security practices beginning to take hold across the industry.
The honest caveat is that one relatively quiet month does not constitute a trend. May’s figure still represents $68 to $81 million in stolen funds across 40 incidents. Framed against the horror of April, that looks like progress. Framed against any reasonable standard of what a maturing financial infrastructure should tolerate, it is still a significant number.
Eight significant bridge and cross-chain exploits account for $33.28 million of May’s total losses, 41 percent of the month’s damage concentrated in a single category of infrastructure. That figure lands not as a surprise but as a confirmation of a pattern the industry has been watching build for years. Bridges are the most reliably exploited structures in crypto, and May does nothing to disturb that reputation.
#PeckShieldAlert In May 2026, the crypto space saw 40 major hacks totaling $81.7M – an 87.4% MoM decrease from April ($647M).
Cross-chain protocols remained a primary target – with 8 significant #bridge & #crosschain exploits accounting for $33.28M (41%) of the month's total… pic.twitter.com/Q1vrqXZJt8
— PeckShieldAlert (@PeckShieldAlert) June 1, 2026
The structural reasons for this concentration of risk are well understood at this point. Cross-chain bridges hold large pools of collateral in custody on one chain while minting mirror assets on another. They advertise their addresses publicly, they process high-value transfers continuously, and their security model almost always depends on some combination of smart contract logic, validator sets, and cryptographic key management, any one of which, if compromised, can drain the entire pool. May’s bridge exploits run the gamut of these failure modes, from key compromises to validator coordination failures to contract vulnerabilities.
The full breakdown of May’s ten largest hacks] reveals both the scale and the diversity of the attacks. SUPERFORTUNE888 leads the list with $15.18 million in losses, taking the month’s largest single exploit. The Verus-Ethereum Bridge follows at $11.58 million, a notable entry on the list because those funds are subsequently refunded, making it one of the rare cases where an exploit results in recovery rather than permanent loss.
THORChain absorbs $10 million, continuing a difficult year for a protocol that has faced repeated security challenges. DxSale loses $7.3 million, while Trusted Volumes suffers $5.9 million in losses. Gravity Bridge, which draws significant community attention after investigators flag the mechanics of its key compromise, is drained for $5.4 million, with a substantial portion of those funds remaining in the attacker’s wallet at the time of reporting.
SquidRouter Module loses $3 million, StablR Euro suffers $2.8 million, TAC’s cross-chain layer on the TON side loses another $2.8 million, and RetoSwap rounds out the top ten at $2.7 million. Taken together, these ten incidents account for the overwhelming majority of May’s total losses and span multiple chains, bridge architectures, and exploit vectors.
The persistence of bridge exploits at the top of every monthly security report is not a coincidence, and it is not bad luck. It is a structural consequence of how cross-chain infrastructure is currently built and operated. Bridges concentrate value in identifiable locations, they depend on key management practices that vary enormously in quality across projects, and they often operate with validator sets small enough that compromising a small number of signers translates directly into full control over the custody pool.
The Gravity Bridge and Verus-Ethereum Bridge incidents in May both reflect versions of this problem. When three out of four guardian keys are compromised on a Wormhole fork, the quorum math delivers full bridge authority to the attacker instantly. When validator coordination fails during a key rotation, the window of vulnerability opens faster than any monitoring system can close it. These are not exotic attack scenarios requiring sophisticated zero-day exploits, they are known failure modes being exploited repeatedly because the underlying architectural decisions that create them have not been sufficiently addressed across the industry.
The 87 percent drop from April to May invites a question worth sitting with: is this genuine improvement, or is it regression to the mean after an unusually catastrophic month? The honest answer is probably some of both. April’s losses were inflated by several very large individual exploits, KelpDAO’s $300 million loss and Drift’s $200 million loss contributed an enormous share of that month’s total, and months with losses at that scale are statistical outliers even in crypto’s difficult security environment.
At the same time, CertiK’s assessment that the decline reflects improved security measures is not without basis. The industry has been investing more heavily in formal verification, third-party auditing, bug bounty programs, and real-time on-chain monitoring than at any previous point in its history. Those investments do not produce overnight results, but they accumulate over time, and the May figures may be beginning to reflect some of that accumulated effort.
Forty exploits in a single month, even a relatively good month, is a number that demands continued attention. The improvement from April is real and meaningful, but the structural vulnerabilities that made April possible have not been eliminated. Bridge architecture remains dangerously concentrated. Guardian sets remain undersized on many cross-chain protocols. Key management practices remain inconsistent across the industry. And the financial incentive to attack these structures, which scales directly with the value they hold, is not diminishing.
The $33.28 million lost to bridge and cross-chain exploits in May represents 41 percent of the month’s total damage from a category of infrastructure that the industry already knows is its weakest point. That knowledge has not yet translated into the architectural changes required to make bridges meaningfully harder to attack. Until it does, the monthly security reports will keep telling the same story, with the numbers moving up and down around an average that remains far too high for an industry that wants to be taken seriously as financial infrastructure.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
