The crypto industry experienced a loss of approximately $68.3 million to exploits and scams in May 2026. According to the latest monthly report released by blockchain security firm CertiK, the exploits spanned across 60 confirmed incidents this past month.
The figure brings the month in as the third in 2026, where monthly losses were under $100 million. Phishing alone accounts for around $2.6 million of the total. Funds returned across the same period reached $9.38 million, partially offsetting the gross loss figure. The May numbers come in well below the numbers recorded in April. The CertiK report counted 60 separate incidents through the month, the highest monthly count of 2026 so far.
CertiK releases detailed report on crypto scams in May
According to the CertiK report, the figure runs above the 50 incidents seen in February, the 55 logged in March, and the 58 recorded in April. The January count had been 48 incidents. Total May losses came in at the $68.3 million figure, lower than April’s $547.3 million and below the $97 million logged in January. February and March had also recorded losses under $100 million, and March posted the lowest dollar figure of the year so far at $38 million.
Phishing losses moderated through the month at $2.6 million, the second-lowest figure of 2026 to date. January had posted $331.3 million in phishing losses, with February at $86.1 million and March at $21.6 million. The April phishing figure had fallen to $7.5 million before the May reading. The Verus attack was rated first in terms of monthly losses at $11.52 million, while the Thorchain attack was second at $10.12 million, and both attacks comprised almost one-third of the monthly total.
Third, fourth, and fifth spots in the list of greatest loss incidents went to TrustedVolumes at $6.58 million, Victim 0x2cFED at $5.94 million, and Gravity Bridge at $5.40 million. All five biggest incidents in the period under analysis brought total losses amounting to $39.55 million, almost half of the total loss figure. Several less significant incidents made up the rest of the top ten by losses
Stablr incurred monthly losses of $3.50 million, while New Market Trading suffered losses totaling $3.10 million. TAC, Ossie, and Haveno/RetoSwap all had losses of $2.80 million and $2.70 million. In terms of category, code vulnerabilities accounted for $45.13 million of the monthly losses, equal to around 66 percent of the total. Wallet compromises followed at $13.77 million, with validator compromises at $5.40 million and phishing at $2.66 million. Backend incidents posted the smallest category figure at $0.82 million in losses.
The May report also tracked recoveries across the month. Funds returned came to $9.38 million against the $68.3 million in gross losses, equal to around a 13.7 percent recovery rate. This is in line with a trend emerging across 2026 where certain compromised projects have succeeded in recovering some amounts of funds that were stolen. From the KelpDAO bridge hack in April, where Arbitrum froze about $75 million out of the $292 million stolen, along with law enforcement efforts, to Operation Atlantic that disrupted the flow of about $45 million from cryptocurrency scams.
