Crypto Hack Losses Ease in May, but Private Key Failures Remain Weakest Link

Data compiled by Sandmark shows roughly $81.3mn in losses across at least 39 publicly reported incidents during May, down significantly from more than $600mn drained in April. Blockchain security firm CertiK separately estimated around $68.3mn in confirmed losses, with roughly $2.6mn attributed to phishing attacks. This marks a notable improvement from May 2025, when CertiK reported over $300mn lost to scams, hacks and exploits.

OpSec failures drive losses

While smart contract exploits remain present, many of May's largest incidents involved compromised keys, multisig failures, authentication weaknesses or bridge infrastructure. Multisig refers to multi-signature wallets that require approvals from multiple parties before executing transactions, a common security measure in crypto projects.

Superfortune, a digital asset platform, suffered an estimated $15.2mn loss from alleged multisig address tampering. Verus-Ethereum Bridge, a cross-chain bridge connecting the Verus (VRSC) blockchain to Ethereum (ETH), lost $11.6mn through a bridge verification exploit. THORChain (RUNE), a decentralized liquidity protocol that enables cross-chain swaps without wrapped assets, suffered roughly $10.7mn in losses linked to a vault key compromise, according to public disclosures and security researchers. THORChain's native token RUNE dropped more than 10% on the day of the incident, as trading was temporarily halted.

Other major incidents included decentralized launchpad DxSale ($7.3mn), trading platform TrustedVolumes ($6.7mn) and Gravity Bridge ($5.4mn). Gravity Bridge is a Cosmos-based bridge for transferring assets between different blockchains.

The pattern reflects a broader shift already visible throughout 2026. Rather than discovering novel vulnerabilities in protocol code, attackers are increasingly targeting private keys, governance controls, operational infrastructure and cross-chain systems.

(Source: DeFi Llama)

The largest incidents in May concentrated on infrastructure, bridge and privileged-access failures rather than traditional smart contract bugs.

Institutional adoption meets security scrutiny

The attacks arrive during a period when crypto infrastructure is becoming increasingly intertwined with traditional finance, or TradFi.

Major banks, payment firms and asset managers are accelerating efforts around tokenized assets – digital representations of assets such as stocks or real estate recorded on blockchain – stablecoins and blockchain-based settlement systems. Firms including Mastercard, JPMorgan, BlackRock and a growing number of exchanges have expanded tokenization initiatives during the first half of 2026.

That institutional push has helped legitimize parts of the sector but has also raised expectations around security standards.

The contrast is notable. As crypto matures into a venue for tokenized securities and institutional capital flows, many of the industry's most damaging breaches continue to stem from basic operational failures such as compromised credentials and privileged-access weaknesses.

But the challenge is hardly unique to crypto. Financial fraud and cybercrime continue to rise across traditional finance and the broader digital economy. The Federal Bureau of Investigation (FBI) said in a report in April that US victims lost nearly $21bn to cyber-enabled crime in 2025, up 26% from the previous year. Investment scams, business email compromises and fraud-related schemes drove much of the increase.

Beyond smart contracts

The moderation in May losses suggests April's extraordinary wave of attacks may not represent a new baseline. CertiK noted that May became the third month of 2026 with losses below $100mn.

Still, the broader trend of risk migrating away from isolated coding bugs toward the wider operational stack surrounding digital assets remains clear. Bridges, signing infrastructure, governance systems and authentication layers now account for a growing share of losses as blockchain ecosystems – distributed ledger networks that power cryptocurrencies – become more interconnected.

(Source: DeFi Llama)

Mitchell Amador, CEO of onchain security platform Immunefi, said that despite high-profile incidents, many 2026 losses continue to stem from operational rather than pure code issues. For institutional participants entering crypto markets through tokenization, stablecoins and onchain settlement, the key question is increasingly whether the broader infrastructure supporting those contracts can withstand sophisticated operational attacks. Amador noted expectations of increased regulatory scrutiny on operational security practices in coming months.