May's total crypto exploit and scam losses hit roughly $68.3 million across 60 confirmed incidents, with only about $9.38 million recovered. That's a steep drop from April, when two mega-heists alone clocked around $600 million. But don't mistake the monthly decline for a win — investigators say some of the biggest spring thefts were aided by AI-driven reconnaissance and social engineering, and the recovery rate remains abysmal.
What happened in April and May
April's losses were dominated by two massive attacks, and investigators noted unusually rapid target discovery — a pattern that now looks like a clue. In May, the total fell to $68.3 million, but the number of incidents was 60, meaning smaller but still frequent hits. About $9.38 million was returned, roughly 14%.
That's low. Recovery rates have been low for a while. The question is whether the drop in monthly volume reflects actual security improvements or just a pause in the attacker cycle.
AI is changing the game
A June threat intelligence report from CertiK Skynet tallied over $328 million in bridge-related incidents so far in 2026 — with a single wallet compromise at Kelp DAO responsible for about $291.3 million. That's a huge chunk. The report also highlights how attackers now pair public on-chain data, Git repos, and social graphs with AI to compress weeks of manual reconnaissance into hours.
AI enables automated exploit rehearsal, deepfake pretext generation, and rapid execution — including polished impersonation and automated split routes to dodge tracking. In short, the tools are getting cheaper and faster.
Why May's lower losses aren't a relief
Lower monthly losses don't necessarily mean lower systemic risk. The pattern could reflect attacker pause cycles, improved triage by teams, or a shift toward more targeted data-driven intrusions that fly under the radar. Contributing factors to the monthly decline include patch cycles after April, some correction from alert fatigue, and attackers recalculating their ROI to avoid heat.
The real story is the low recovery rate: only $9.38 million back from $68.3 million in May. That's not a fluke — it's a trend. And with AI compressing reconnaissance from weeks into hours, the window for getting funds back is shrinking.
What comes next
No one is calling this a turning point. The Kelp DAO incident alone shows that a single compromise can dwarf an entire month's losses. Expect more details from CertiK's mid-year update, and watch for whether June's numbers tick back up as attackers finish retooling their AI pipelines. The fundamental problem — slow recovery, fast attack — isn't going anywhere.
