1 hour ago
1123
The crypto industry lost approximately $68.3 million to exploits and scams across 60 confirmed incidents in May 2026, according to the latest monthly report from blockchain security firm CertiK.
The figure brings the month in as the third in 2026 where monthly losses were under $100 million. Phishing alone accounts for around $2.6 million of the total. Funds returned across the same period reached $9.38 million, partially offsetting the gross loss figure.
The May numbers come in well below the heavy April losses.
Crypto sector records 60 incidents across May
The CertiK report counted 60 separate incidents through the month, the highest monthly count of 2026 so far. The figure runs above the 50 incidents seen in February, the 55 logged in March, and the 58 recorded in April. The January count had been 48 incidents.
Combining all the incidents in May weβve confirmed ~$68.3M lost to exploits with
~$2.6M of the total attributed to phishing.
After a particularly bad April, May is now the third month of 2026 to record losses under 100M$.
More details below pic.twitter.com/GSWTLKXWDH
β CertiK Alert (@CertiKAlert) May 31, 2026
Total May losses came in at the $68.3 million figure, lower than Aprilβs $547.3 million and below the $97 million logged in January. February and March had also recorded losses under $100 million and March posted the lowest dollar figure of the year so far at $38 million.
Phishing losses moderated through the month at $2.6 million, the second-lowest figure of 2026 to date. January had posted $331.3 million in phishing losses, with February at $86.1 million and March at $21.6 million. The April phishing figure had fallen to $7.5 million before the May reading.
Verus and Thorchain lead the monthly loss list
The Verus attack was rated first in terms of monthly losses at $11.52 million, while the Thorchain attack was second at $10.12 million, and both attacks comprised almost one-third of the monthly total.
Third, fourth, and fifth spots in the list of greatest loss incidents went to TrustedVolumes at $6.58 million, Victim 0x2cFED at $5.94 million, and Gravity Bridge at $5.40 million. All five biggest incidents in the period under analysis brought total losses amounting to $39.55 million, almost half of the total loss figure.
A number of less significant incidents made up the rest of the top ten by losses. Stablr incurred monthly losses at $3.50 million, while New Market Trading suffered losses totaling $3.10 million. TAC, Ossie, and Haveno/RetoSwap all had losses at $2.80 million and $2.70 million.
Code vulnerabilities drive crypto losses by category
By category, code vulnerabilities accounted for $45.13 million of the monthly losses, equal to around 66 percent of the total. Wallet compromises followed at $13.77 million, with validator compromises at $5.40 million and phishing at $2.66 million. Backend incidents posted the smallest category figure at $0.82 million in losses.
The category breakdown points to smart contract code as the main attack surface during the month. The dominance of code vulnerabilities runs against the pattern seen in some earlier months of 2026. Januaryβs hardware wallet hack of $282 million had been a wallet compromise, while Aprilβs Drift Protocol breach of $285 million had run on social engineering against admin keys.
By incident type, bridge exploits drew the largest dollar figure at $28.62 million. DeFi protocol incidents came in second at $23.92 million, with meme token incidents at $1.34 million and exchange-related losses at $1.09 million. Unverified contract incidents added $0.74 million to the monthly total.
Funds returned total $9.38 million against gross losses
The May report also tracked recoveries across the month. Funds returned came to $9.38 million against the $68.3 million in gross losses, equal to around a 13.7 percent recovery rate. This is in line with a trend emerging across 2026 where certain compromised projects have succeeded in recovering some amounts of funds that were stolen.
From the KelpDAO bridge hack in April, where Arbitrum froze about $75 million out of the $292 million stolen, along with law enforcement efforts, to Operation Atlantic that disrupted the flow of about $45 million from cryptocurrency scams.
As per the May report, the total losses incurred during 2026 up to the end of May amount to almost $1.3 billion, with April having accounted for nearly half of that loss amount itself.
If you're reading this, youβre already ahead. Stay there with our newsletter.
English (US)