Code vulnerabilities drove 66% of May's $68.3M crypto losses; phishing fell to $2.6M. Recovery rate held at 13.7% as year-to-date losses near $1.3B.
Alpha Score of 47 reflects weak overall profile with moderate momentum, weak value, weak quality, moderate sentiment.
The crypto industry lost approximately $68.3 million to exploits and scams across 60 confirmed incidents in May 2026, according to the latest monthly report from blockchain security firm CertiK. The figure makes May the third month of the year to record losses under $100 million. The incident count is the highest monthly total of 2026 so far.
Funds returned across the same period reached $9.38 million, partially offsetting the gross loss figure and producing a recovery rate of about 13.7 percent.
Code vulnerabilities accounted for $45.13 million of the monthly losses, equal to around 66 percent of the total. Wallet compromises followed at $13.77 million, with validator compromises at $5.40 million and phishing at $2.66 million. Backend incidents posted the smallest category figure at $0.82 million in losses.
The category breakdown points to smart contract code as the main attack surface during the month. The dominance of code vulnerabilities runs against the pattern seen in some earlier months of 2026. January's hardware wallet hack of $282 million had been a wallet compromise. April's Drift Protocol breach of $285 million had run on social engineering against admin keys.
By incident type, bridge exploits drew the largest dollar figure at $28.62 million. DeFi protocol incidents came in second at $23.92 million, with meme token incidents at $1.34 million and exchange-related losses at $1.09 million. Unverified contract incidents added $0.74 million to the monthly total.
The Verus attack was rated first in terms of monthly losses at $11.52 million. The Thorchain attack was second at $10.12 million. Both attacks comprised almost one-third of the monthly total.
Third, fourth, and fifth spots in the list of greatest loss incidents went to TrustedVolumes at $6.58 million, Victim 0x2cFED at $5.94 million, and Gravity Bridge at $5.40 million. All five biggest incidents brought total losses amounting to $39.55 million, almost half of the total loss figure.
A number of less significant incidents made up the rest of the top ten by losses. Stablr incurred monthly losses at $3.50 million. New Market Trading suffered losses totaling $3.10 million. TAC, Ossie, and Haveno/RetoSwap all had losses at $2.80 million and $2.70 million.
Phishing losses moderated through the month at $2.6 million, the second-lowest figure of 2026 to date. January had posted $331.3 million in phishing losses. February was at $86.1 million and March at $21.6 million. The April phishing figure had fallen to $7.5 million before the May reading.
The moderation in phishing suggests attackers may be shifting tactics away from broad wallet-draining campaigns toward more targeted code exploits and bridge attacks. Those require deeper technical knowledge. They can yield larger single-incident payouts.
Funds returned came to $9.38 million against the $68.3 million in gross losses, equal to around a 13.7 percent recovery rate. This is in line with a trend emerging across 2026 where certain compromised projects have succeeded in recovering some amounts of stolen funds.
From the KelpDAO bridge hack in April, where Arbitrum froze about $75 million out of the $292 million stolen, along with law enforcement efforts, to Operation Atlantic that disrupted the flow of about $45 million from cryptocurrency scams.
As per the May report, the total losses incurred during 2026 up to the end of May amount to almost $1.3 billion. April accounted for nearly half of that loss amount itself.
Total May losses came in at the $68.3 million figure, lower than April's $547.3 million and below the $97 million logged in January. February and March had also recorded losses under $100 million. March posted the lowest dollar figure of the year so far at $38 million.
The 60 incidents in May represent the highest monthly count of 2026 so far. The figure runs above the 50 incidents seen in February, the 55 logged in March, and the 58 recorded in April. The January count had been 48 incidents.
Key insight: The rising incident count alongside falling total dollar losses suggests attackers are spreading smaller bets across more targets rather than concentrating on single large hacks. This makes portfolio-level risk harder to hedge with simple position sizing.
Bridge exploits at $28.62 million and DeFi protocol incidents at $23.92 million together account for 77 percent of May's total losses. Any portfolio with significant exposure to cross-chain bridges or lending protocols faces a higher probability of incident than one concentrated in blue-chip spot holdings on centralized exchanges.
The 13.7 percent recovery rate means that even when a project recovers funds, the investor or liquidity provider still absorbs the majority of the loss during the recovery window. The KelpDAO case showed that Arbitrum could freeze funds. That required active chain-level intervention and did not guarantee full restitution.
Practical rule: Treat any bridge or DeFi position as having a 13-14 percent expected recovery in the event of a code exploit. The remaining 86-87 percent is a permanent loss of capital.
For traders and allocators, the May data reinforces a watchlist rule: screen any DeFi or bridge position for its audit history, admin key structure, and past incident record before sizing. The 60-incident month shows that small exploits are becoming the new normal. The $68.3 million total is a manageable number only if your portfolio is not the one absorbing the hit.
For broader context on how these incidents affect market confidence, see our crypto market analysis. For individual asset risk profiles, check Bitcoin (BTC) profile and Ethereum (ETH) profile.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.