The decentralized finance landscape experienced a sharp reduction in exploit-related losses throughout May, offering a brief operational reprieve after a historically destructive April. According to new data from blockchain security firm CertiK, Crypto exploit losses fell sharply in May, dropping to $68.3 million from nearly $650 million in April. This contraction marks May as the third month in 2026 to register below the $100 million loss threshold.
In a post on X, CertiK said phishing attacks accounted for about $2.6 million of May’s losses, while roughly $9.4 million was recovered or returned to affected treasuries. The company noted that May became the third month in 2026 to record less than $100 million in crypto-related exploit losses. Even so, security researchers warn that lower losses do not necessarily indicate lower risk, as attackers continue targeting platforms through new techniques and vulnerabilities.
Bridge attacks lead monthly losses
While overall cryptocurrency losses from hacks and exploits declined in May, cybercriminals continued to target some of the industry’s most critical infrastructure. Cross-chain bridges and decentralized finance (DeFi) platforms remained particularly vulnerable, with several major attacks underscoring persistent security risks.
The biggest breach of the month struck Verus Protocol on May 18, when attackers exploited its cross-chain bridge and made off with about $11.5 million. Separately, THORChain suffered a hack that resulted in losses of roughly $10.1 million.
Cross-chain bridges accounted for about $28.6 million in total losses, or nearly 42% of all attacks in May. Decentralized finance platforms also saw continued pressure as attackers searched for large payouts across active trading systems.
Code vulnerabilities drove most of the damage. Hackers exploited software flaws to steal around $45 million, which made up almost two-thirds of total losses. Wallet and private key compromises added another $13.7 million, showing that both technical bugs and user security failures remain key entry points for attackers.
Lazarus expands its malware playbook
Researchers also flagged new security threats beyond direct protocol exploits. A CertiK researcher linked a recent malware campaign to North Korea’s Lazarus Group. The operation, called “Mach-O Man,” targets macOS users working in crypto and financial services.
Security reports say attackers pose as contacts on Telegram and send fake meeting invitations. Victims then open links to fake video conferencing pages and follow instructions that run malicious commands on their devices. The process gives attackers access to compromised systems and sensitive data.
AI raises new security concerns
Security experts say artificial intelligence is making crypto attacks faster and harder to stop. Hackers have stolen about $16.56 billion across the crypto sector so far, according to DeFiLIama. Decentralized finance accounts for $7.78 billion of those losses, while bridge exploits make up another $3.24 billion.
OpenZeppelin founder Manuel Aráoz said AI has shifted the balance between attackers and defenders. He wrote, “Coding agents are superhuman at finding vulnerabilities, and smart contract security is too asymmetric: defenders need to fix every bug while attackers need just one exploit to steal funds.”
Researchers say this imbalance could keep security risks high for crypto platforms, even as defenses improve.
Also Read: BullX Suspends Trading App to Focus on Next-Gen Version Upgrades
