May brought a sharp reprieve for the crypto security landscape. Total exploit losses clocked in at roughly $68 million — a dramatic drop from April's $650 million, which was the worst month since March 2022 (excluding the $1.5 billion Bybit hack in February 2025). Code vulnerabilities drove about 66% of the damage, and cross-chain bridges once again proved the weakest link.
Bridges take the biggest hit
Bridge exploits alone accounted for 42% of May's losses, or $28.6 million. The single largest incident hit Verus Protocol's cross-chain bridge on May 18, draining $11.5 million. THORChain lost $10 million in a mid-May attack that forced a temporary halt to trading. Toward month's end, Gravity Bridge and Alephium Bridge were both struck on May 30, losing $5.4 million and $815,000 respectively.
Wallet compromises and a rare recovery
Wallet and private key compromises stole $13.7 million across 7 of nearly 30 incidents. Phishing attacks, often a major vector, produced only $2.6 million in losses — a sign that user awareness may be improving, or that attackers are shifting tactics. On the bright side, victims recovered or got back about $9.4 million during May.
AI-powered threats emerge
Bad actors aren't just after user funds. They're now using AI to develop malware aimed at crypto and AI developers, attacking code repositories and tricking AI coding assistants into embedding vulnerabilities. The shift suggests the next wave of attacks may target the supply chain itself, not just end users.
A familiar pattern holds
May was the third month in 2026 with total losses under $100 million — an encouraging sign after April's spike. But the underlying weak spots haven't changed. Bridges and code vulnerabilities remain the two most exploited areas in crypto, and the industry has yet to lock them down for good. The question going forward is whether AI-powered attacks will widen the attack surface before the industry catches up.
