On June 1, 2026, the third-party organization focused on crypto security, CertiK, released the security monthly report for May 2026. According to its statistics, the total loss from various attacks and vulnerabilities in May was approximately $68.3 million, while in April this figure was around $650 million, representing a month-on-month decline of about 90% after experiencing a peak earlier in the year, making it the third month this year with losses below $100 million. Despite the overall security data showing a significant cooldown, the report also pointed out that typical events such as the theft of approximately $11.5 million from the Verus Protocol cross-chain bridge still occurred that month, indicating that on-chain attacks have not disappeared; the risk level has simply eased from an extreme high to a relatively "controllable" range, and the industry's dependence on security infrastructure and emergency response capabilities continues to deepen.
From $650 million to $68.3 million: The cliff-like decline behind
From the data itself, the loss of about $650 million in April inflated the "peak" of the annual curve, while May quickly dropped to about $68.3 million, only about one-tenth of the previous month, creating an extremely stark cliff-like contrast. CertiK's monthly statistics show that this is the third time this year that monthly losses have fallen below $100 million, indicating that beyond extreme events, the industry is not in a long-term "six hundred million-level" loss norm; monthly data is highly sensitive to individual large attack events, and a single major attack is enough to raise the entire month's figures.
However, the drop from $650 million to $68.3 million does not imply that the security level has structurally improved; it is more likely a case of "an extreme high reverting to existing lower ranges." Since there had already been two months below $100 million previously, May seems more like a return to this relatively low loss state rather than the start of an entirely new security phase. Current evidence is limited to a few months' cross-sections, which is insufficient to conclude that risks are on a long-term decline. Whether the industry has truly emerged from the high-risk cycle still requires observation of the sustained performance in the subsequent months.
Code vulnerabilities consume two-thirds of losses
Structurally, the main cause of the losses in May remains concentrated at the code level. According to CertiK's report, losses due to code vulnerabilities in May 2026 amounted to approximately $45 million, accounting for about 66% of that month's total losses of around $68.3 million. This indicates that in the breakdown of attack types, issues directly related to code still top the list, and the main pressure points of security events remain in underlying aspects such as contract logic and protocol implementation, with weaknesses at the protocol layer not disappearing simply because the total for a single month has receded.
In contrast, the impact of traditional social engineering methods is clearly weaker than that of code issues. In May, phishing attacks caused losses of about $2.6 million, which is significantly lower than that of code vulnerabilities, but combined they still covered a significant portion of the month's losses. This "heavy-top lightweight" pattern of loss structure suggests that the current risk focus is more concentrated on the contract and protocol implementation layers, rather than merely user-end protection gaps. This also means that at this stage, any assertion claiming that overall risk has significantly decreased must first address one question: has the code safety at the protocol level been structurally enhanced?
Verus Protocol cross-chain theft of $11.5 million
According to CertiK statistics, the largest single loss event in May came from the Verus Protocol cross-chain bridge, with approximately $11.5 million stolen. Given the total losses of about $68.3 million for that month, this single incident accounted for over one-sixth of the total, marked by CertiK as the highest loss case in May. In contrast to the aforementioned "long tail" incidents dominated by code vulnerabilities, these types of attacks concentrated on cross-chain infrastructure can quickly amplify into a decisive variable in the monthly data once a transaction path or a contract component is compromised.
From the perspective of risk structure, the Verus Protocol case illustrates that even though the industry's overall losses significantly decreased in May, infrastructures like cross-chain bridges that carry multi-chain assets remain high-value targets that hackers specifically aim for. Once the control or verification logic of a cross-chain bridge is breached, losses are no longer in the hundreds of thousands or millions as "noise," but instead quickly rise to become the dominant item in the monthly report, making cross-chain bridge security a core variable that cannot be simply overlooked as "losses recede" in the current risk structure.
Recovering $9.4 million: Emergency response is showing effect
From the results, May was not a month of “total loss.” According to CertiK data, approximately $9.4 million was recovered or returned during May 2026, accounting for 13.8% of the month's total losses of about $68.3 million. This ratio was separately included in the report, indicating that the industry has begun to gauge the effectiveness of security systems by how much can be recovered, rather than merely focusing on the loss amount itself. In other words, aside from preemptive protection, how to freeze, trace, negotiate, and even propel the return of funds on-chain after an incident is becoming an important part of the daily work for security teams.
However, this 13.8% also starkly reveals the harsh reality: over 80% of the stolen funds remain unrecovered. The recovery cases pointed out by CertiK often rely on several common conditions—quick monitoring and alerting of unusual fund flows by the project, prompt activation of emergency response plans after an attack occurs, communication and negotiation with the attackers, or involving third-party security agencies to assist in confirming paths and facilitating returns. These actions essentially require that the project has already established a "wartime mechanism" in terms of monitoring systems, authority management, and decision-making processes. However, at the current stage, even though emergency responses are proving effective and some losses can be salvaged, the overall data still reminds the industry: post-incident accountability and recovery can only reduce marginal losses, and the real upper limits on losses remain determined by pre-existing architectural security and code quality.
Security data cooling but risk focus unchanged
From the data, the total losses in May 2026 were about $68.3 million, showing a near 90% month-on-month decline from the peak of about $650 million in April, and becoming the third month of the year with losses below $100 million, presenting a "cooling" safety report on the surface. However, when broken down structurally, about $45 million, accounting for around 66%, still comes from code vulnerabilities, while the largest single event remains the theft of about $11.5 million from the Verus Protocol cross-chain bridge. This indicates that what truly dominates tail risk is still the aspects of contract logic and infrastructures like cross-chain bridges, rather than minor long-tail attacks. Meanwhile, approximately $9.4 million was recovered or returned, accounting for about 13.8% of the month's losses, suggesting that there has been some progress in emergency responses among projects, but the fundamental pattern of "as long as the core code and bridging architecture have flaws, single point failures can be amplified" has not changed. For project teams, the next focus remains to deepen and refine contract auditing, formal verification, and upgrade processes to block potential vulnerabilities on-chain; for investors and ordinary users, it is necessary to continue tracking two variables when interpreting this monthly report: whether the overall losses in subsequent months can remain at this relatively low range, and whether cross-chain bridges and core contracts will experience significant security incidents similar to the Verus Protocol, because only if both dimensions maintain "calm" can the current receding data be seen as a true signal of improvement in the security situation.
Join our community, let us discuss together and become stronger together!
On-chain Telegram community: https://t.me/AiCoinWhaleData
On-chain community: https://www.aicoin.com/link/chat?cid=N6OVMor5g
AiCoin on-chain Twitter: https://x.com/aicoinwhaledata
Exclusive AiCoin Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
Exclusive AiCoin Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
