TL;DR:
Cross-chain bridges are accumulating record losses so far in 2026, with eight major incidents recorded in May alone. Peckshield, the blockchain security and data analytics firm, published a report that raises the total stolen to $328.6 million across cross-chain protocols. The figures cement 2026 as the most critical period in history for decentralized finance.
Cross-chain bridges operate by locking tokens on one blockchain and minting equivalent assets on another. That architecture concentrates liquidity at single points of failure, where compromising the bridge’s verification mechanism is enough to access the funds. The structural dimension of the problem became undeniable in April, when 30 separate incidents were recorded, at a pace of nearly one attack per day.
Two of the largest attacks occurred in rapid succession. On April 18, the rsETH route of KelpDAO on Layerzero V2 was exploited, resulting in the loss of approximately $300 million. The attacker extracted 116,500 rsETH from the Ethereum OFT adapter without burning the tokens on the source chain. A review by Chainalysis determined that Layerzero had a 1-1 RPC quorum configured by default, which allowed a single compromised node to authorize fraudulent cross-chain messages. KelpDAO subsequently migrated to Chainlink‘s Cross-Chain Token standard and publicly held Layerzero responsible for the infrastructure failure.
#PeckShieldAlert As of mid-May 2026, the crypto space has witnessed 8 major #bridge-related exploits, with hackers exfiltrating a cumulative $328.6M from cross-chain protocols.
The table below outlines the details of these incidents: pic.twitter.com/0xTNxIHi4b— PeckShieldAlert (@PeckShieldAlert) May 18, 2026
Days later, Drift Protocol suffered an exploit in its infrastructure on Solana, losing approximately $200 million in the process. An analyst at CertiK noted that these incidents indicate a strategic shift in cybercrime. According to Peckshield, attackers are becoming increasingly sophisticated in identifying and exploiting weaknesses in verification mechanisms.
Smaller-scale incidents also made their mark. In February, the IoTeX bridge lost approximately $2 million through a private key exploit. In May, TAC Protocol lost $2.8 million in what was later classified as a white hat incident, after the attacker claimed a 10% bounty. Transit Finance lost another $1.88 million on May 13. The most recent episode involved the Verus-Ethereum bridge, where losses were approximately $11.5 million and the attacker’s wallet was traced to Tornado Cash.
Peckshield’s data already showed accumulated losses of $112.5 million in the first two months of 2026, before April catapulted the total above $750 million. With May’s incidents adding to the tally, 2026 is on track to eclipse all historical records for losses in the DeFi market.
