
May crypto security losses hit $68.3M, down 90% from April's $650M. Cross-chain bridges remain the top vulnerability. CertiK flags AI-enhanced malware trend.
Alpha Score of 42 reflects weak overall profile with moderate momentum, weak value, weak quality. Based on 3 of 4 signals – score is capped at 90 until remaining data ingests.
Blockchain security firm CertiK reported that cryptocurrency platform losses fell to $68.3 million in May, a 90% drop from April's $650 million figure. The month marked the third consecutive period in 2026 where total security-related losses stayed below $100 million.
April's tally was inflated by the Kelp DAO incident, which cost $291 million. Excluding the $1.5 billion Bybit breach from February 2025, April represented the highest monthly loss total since March 2022. May's decline is partly mean reversion after a single large event, the underlying attack vectors remain unchanged.
The simple read: losses collapsed. The better read: April was an outlier driven by one protocol exploit, and May's total is still above the $50 million monthly average seen in late 2025. Phishing accounted for only $2.6 million of May's total. Security teams recovered or had voluntarily returned about $9.4 million – a 13.8% recovery rate that is decent, far from industry standard.
April's $650 million figure would have been the highest monthly loss since March 2022 if not for the Bybit hack. The Kelp DAO incident alone represented 45% of that month's total. Without it, April's losses would have been roughly $359 million – still elevated, not record-breaking. May's drop to $68.3 million brings the industry back to the range seen in January and March 2026.
Cross-chain bridge platforms were the most frequently exploited infrastructure type in May, accumulating $28.6 million in losses – 42% of the monthly total. The month's largest single incident hit Verus Protocol's cross-chain bridge on May 18, costing $11.5 million. THORChain suffered the second-largest breach, with attackers extracting $10.1 million in mid-May.
Two more bridge incidents closed the month on May 30: Alephium Bridge lost $815,000 and Gravity Bridge lost $5.4 million. Both were attributed to compromised private keys.
Programming vulnerabilities were the predominant root cause by dollar value, responsible for about $45 million – roughly 66% of aggregate losses. Wallet breaches and private key compromises ranked second, accounting for $13.7 million. Bridges are complex software stacks that often rely on cross-chain messaging protocols with limited battle-testing. Attackers target the code, not the economics.
THORChain has been exploited multiple times since 2021. The May incident follows a pattern: attackers found a flaw in the swap logic that allowed them to drain liquidity pools. Verus Protocol's bridge was newer; the exploit used a reentrancy-like attack on the bridge's validation layer. Both incidents reinforce that bridge security remains the sector's weakest link.
CertiK recorded 29 distinct security incidents in May. Private key compromises were implicated in seven of those attacks. The breakdown by vector:
CertiK identified an emerging trend involving AI-enhanced malware deployed throughout May. Threat actors targeted cryptocurrency and artificial intelligence developers through compromised code repositories. The attackers manipulated AI-powered coding assistants to execute malicious operations, making the malware harder to detect during code review. This vector is still small in dollar terms, could grow if developers do not tighten supply-chain security.
The read-through is direct: DeFi protocols that operate cross-chain bridges face elevated operational risk. Investors evaluating THORChain, Verus Protocol, or any bridge-dependent project should scrutinize audit history and key management practices. The $9.4 million recovered or returned is a positive signal that some security teams can respond quickly, the recovery rate of 13.8% leaves 86% of stolen funds unrecovered.
Protocols using similar bridge architecture – including LayerZero, Wormhole, and Synapse – are not named in the source, share the same attack surface. Any project relying on cross-chain messaging or wrapped assets is exposed to the same code-risk profile. The Alephium and Gravity Bridge incidents confirm that even smaller bridges are targets.
$9.4 million recovered out of $68.3 million stolen is a 13.8% recovery rate. That is higher than the industry average of about 5-10% in 2025, still means most victims absorb the loss. Protocols that can demonstrate faster recovery or insurance coverage may gain a competitive advantage in attracting liquidity.
The thesis that cross-chain bridges remain the top vulnerability is confirmed if June sees another bridge exploit above $10 million. It weakens if attackers shift to a new vector – such as AI malware or DeFi lending protocol exploits – and bridge incidents decline. The AI-enhanced malware trend is worth watching: if it produces a large loss in June, the sector's risk map changes.
Next concrete marker: the first major incident of June. If it is a bridge hack, the pattern holds. If it is a private-key compromise at a centralized exchange or a new AI-driven attack, the narrative shifts. CertiK's monthly reports will provide the data. For now, the numbers say bridges are the problem, the problem is not going away.
For a broader view of how these security trends affect crypto market structure, see our crypto market analysis. For the specific risk profile of the largest assets, the Bitcoin (BTC) profile and Ethereum (ETH) profile offer context on how network security correlates with price action.
Prepared with AlphaScala editorial tooling from the source reporting linked above. Indexable analysis may include a cited Alpha Score value. Publishing checks screen each story before release. Educational coverage, not personalized advice.