Crypto hacks plunged 90% to $68.3 million in May, but the threat is far from over

The blockchain industry is experiencing a collective sense of relief. After a bruising April that saw over $650 million systematically stolen from Web3 protocols, anchored by a staggering $291 million exploit of Kelp DAO, the latest figures offer a deceptive sense of relief. Data released by blockchain security firm CertiK confirms that losses from crypto exploits plummeted by nearly 90% in May, settling at a modest $68.3 million.

For a market weary of relentless security vulnerabilities, May marks the third month of 2026 to successfully keep aggregate losses under the psychological $100 million threshold. On paper, it looks like a resounding victory for the defensive line. On-chain reality, however, suggests we are merely witnessing a tactical intermission before a possible next wave of sophisticated offensives.

The sharp drop in crypto exploits in May has naturally led some commentators to declare that protocol security is finally maturing. There is little or no evidence to support this: roughly $9.4 million of the month’s stolen assets were successfully recovered or returned through white-hat negotiations and swift multi-signature asset freezing. Phishing attacks, historically a massive drain, were also kept at a relatively quiet $2.6 million.

Yet, a careful look at the data reveals that the structural vulnerabilities plaguing decentralised finance (DeFi) remain entirely unresolved. Hackers did not suddenly hit a brick wall; they simply targeted different layers of the ecosystem. Cross-chain bridges, the perennially fragile corridors of the crypto ecosystem, were once again the primary target, accounting for $28.6 million, or 42% of the month’s total losses.

The single largest hack involved an $11.5 million exploit of the Verus Protocol cross-chain bridge on May 18, closely followed by a mid-month breach of THORChain that drained $10.1 million. According to CertiK, code vulnerabilities remained the most devastating vector, responsible for roughly 66% ($45 million) of all losses. Meanwhile, data from DeFiLlama tracked 29 distinct security incidents throughout the month, seven of which were tied directly to compromised private keys and wallet leaks, including late-month strikes on the Gravity Bridge ($5.4 million) and the Alephium Bridge ($815,000).

If protocols were genuinely hardening, we would see a collapse or a drastic reduction in these specific attack vectors. Instead, we are seeing the same architectural flaws executed on a slightly smaller scale.

May’s crypto hacks plunged: A tactical intermission for retooling

History shows that Web3 threat actors rarely retire; they retool. The dramatic dip in May payload deliveries aligns perfectly with the operational cycles of elite cybercriminal syndicates, such as North Korea’s state-sponsored Lazarus Group. These entities do not operate randomly; they carry out highly coordinated, seasonal campaigns.

The drop to $68.3 million points toward a deliberate period of reconnaissance and engineering. Security analysts have noted an alarming rise in malicious software developed with generative artificial intelligence assistance, specifically targeting crypto and AI developers. Throughout May, threat actors aggressively compromised code repositories and manipulated AI coding assistants to plant deep-seated backdoors in upcoming protocols. These are long-tail operations. Rather than burning a newly discovered zero-day exploit on a depleted liquidity pool, advanced persistent threat groups are quietly mapping out the topologies of newly launched DeFi primitives.

There is also a macroeconomic liquidity factor at play. Following the massive capital drain in April, many yield farmers and institutional liquidity providers temporarily pulled back their assets to assess risk. For a hacker, attacking a dehydrated protocol is a waste of operational capital. By holding back their heavy artillery, exploiters allow total value locked (TVL) figures to naturally replenish during the early summer months, effectively fattening the target before flipping the switch.

Overall, the current lull should be treated as an urgent window of opportunity rather than a milestone of success. Total operational resilience requires continuous, dynamic auditing and an industry-wide pivot away from highly centralised multi-signature dependencies. 

The dramatic de-escalation of May is not a permanent peace treaty; it is the quiet before the inevitable summer storm. Protocols and exchanges that misinterpret this temporary pause as genuine safety will almost certainly make headlines when the next offensive begins.