
Crypto hack losses fell 90% to $68.3M in May, CertiK reports. Code flaws drove 66% of losses. Cross-chain bridges lost $28.6M. AI-assisted malware is rising.
Alpha Score of 42 reflects weak overall profile with moderate momentum, weak value, weak quality. Based on 3 of 4 signals – score is capped at 90 until remaining data ingests.
Crypto losses from hacks and exploits fell to $68.3 million in May, nearly 90% lower than the roughly $650 million stolen in April, according to blockchain security firm CertiK.
May became the third month of 2026 to record less than $100 million in crypto-related losses after attackers stole through exploits, scams, and security breaches. The figure follows a difficult April, when losses surged to around $650 million. CertiK noted that, excluding the $1.5 billion Bybit hack in February 2025, April recorded the highest monthly losses since March 2022. A $291 million exploit targeting Kelp DAO accounted for the largest incident that month.
While losses declined sharply in May, several major attacks still affected the sector.
An exploit targeting Verus Protocol's cross-chain bridge on May 18 resulted in $11.5 million in losses, making it the largest incident of the month. An attack on THORChain followed with roughly $10.1 million stolen from the protocol.
A breakdown of the data shows that code vulnerabilities remained the most expensive attack vector. CertiK reported that flaws in protocol code accounted for approximately $45 million in losses, representing about 66% of the month's total. Wallet and private key compromises ranked second, with attackers stealing $13.7 million through those incidents.
Cross-chain infrastructure continued to attract significant attention from attackers. According to CertiK, cross-chain bridge exploits caused $28.6 million in losses during May, or roughly 42% of the monthly total, placing them ahead of decentralized finance protocols among the most targeted sectors.
Data from DeFiLlama recorded 29 security incidents during the month, including seven cases involving compromised private keys.
Among the most recent attacks were exploits affecting Alephium Bridge and Gravity Bridge on May 30. Data shows that the incidents led to losses of approximately $815,000 and $5.4 million, respectively, after attackers gained access to private keys.
Private key compromises accounted for $13.7 million in May losses, making them the second-largest attack vector. The Alephium and Gravity Bridge incidents underscore that even as total losses decline, single points of failure in key management remain a structural vulnerability.
Even as total losses declined, security researchers continue to warn about changes in attacker tactics. In April, CertiK senior blockchain investigator Natalie Newson warned that threat actors were increasingly combining social engineering, phishing campaigns, supply-chain compromises, and cross-chain vulnerabilities to execute large-scale attacks. Newson also warned that artificial intelligence tools were making cybercrime operations more sophisticated and easier to scale.
CertiK's latest findings suggest that trend is continuing. The company reported that AI-assisted malware activity increased in May, with attackers targeting both crypto developers and AI developers by compromising code repositories and manipulating AI coding assistants.
Newson previously said that tools capable of creating realistic deepfakes, autonomous attack agents, and software that can identify vulnerabilities and generate exploit code are becoming more accessible.
According to CertiK, such capabilities are adding new risks at a time when attackers are already exploiting weaknesses in cross-chain systems and private key management.
Practical rule: A single month of declining losses does not signal a structural improvement in security. The April spike to $650 million shows that attacker capacity remains high. A repeat of a $100 million+ month in June would confirm that May was an outlier, not a trend. Conversely, a second consecutive month below $100 million would strengthen the case that improved security practices or reduced attack surfaces are having an effect.
Risk to watch: Cross-chain bridges remain the most targeted sector. Another exploit above $20 million on a bridge protocol would reset the narrative, regardless of the monthly aggregate.
In the meantime, CertiK has advised users to remain cautious of phishing attempts, verify the authenticity of websites and smart contracts, and consider using cold wallets to reduce exposure of private keys during everyday operations.
Prepared with AlphaScala editorial tooling from the source reporting linked above. Indexable analysis may include a cited Alpha Score value. Publishing checks screen each story before release. Educational coverage, not personalized advice.