Crypto Hack Losses Drop 90% to $68.3M in May, CertiK Says
A steep monthly decline offers protocols a brief reprieve — but AI-powered social engineering and cross-chain flaws keep the threat level elevated.
Crypto exploit losses fell sharply in May, sliding to roughly $68.3 million from nearly $650 million in April, according to fresh figures from blockchain security firm CertiK. The drop — close to 90% month over month — marks May as the third month in 2026 to close below the $100 million threshold.
A sharp reversal from April's record
The pullback follows a historically destructive April, when two North Korea-linked breaches — the Kelp DAO and Drift Protocol exploits — drove monthly losses to the highest level in years. By comparison, May delivered a calmer ledger: CertiK noted that phishing accounted for about $2.6 million of the month's total, while roughly $9.4 million was recovered or returned to affected treasuries.
"Lower losses do not necessarily mean lower risk" — researchers caution that attackers are still probing protocols with new techniques.
#CertiKStatsAlert 🚨 Combining all the incidents in May we've confirmed ~$68.3M lost to exploits, with ~$2.6M of the total attributed to phishing. After a particularly bad April, May is now the third month of 2026 to record losses under $100M.
— CertiK Alert (@CertiKAlert) June 1, 2026
Where the money went
Even in a quieter month, the loss profile underscored familiar weak points. Code vulnerabilities did most of the damage, while cross-chain bridges — long a favorite target — again absorbed a heavy share. Wallet and private-key compromises rounded out the picture, a reminder that both software bugs and user-side security failures remain primary entry points.
- Code vulnerabilities~$45.0M
- Cross-chain bridge exploits~$28.6M
- Wallet & private-key compromise~$13.7M
- Phishing~$2.6M
AI-powered attacks add to the concern
Beyond direct protocol exploits, CertiK flagged a sharpening edge to social engineering. A researcher tied a recent macOS malware campaign — dubbed "Mach-O Man" — to North Korea's Lazarus Group, with crypto and fintech professionals as the intended targets, often lured through fake "urgent" meeting invites.
The firm's investigators have repeatedly warned that AI is reshaping the threat landscape: automated tooling helps attackers discover and weaponize vulnerabilities faster, while AI-assisted phishing and deepfakes make lures harder to spot. The same tools, however, also strengthen the defensive side — accelerating monitoring, transaction analysis, and audit work.
Lower losses, not lower risk
May's numbers are a welcome breather after a brutal spring, and the rebound in recovered funds is encouraging. But the underlying message from security teams is consistent: the reduction came largely from fewer headline-grade exploits, not from fewer attempts. The practical guidance hasn't changed — verify every URL and smart contract before interacting, and keep idle assets in cold storage where private keys are never exposed.