What Happened in May
TAC Protocol - $2.8M (early May). The protocol lost $2.8 million, but the incident was later classified as a white hat event: the hacker returned the funds and claimed a 10% bounty. One of the rare cases in 2026 where the story ended well.
Transit Finance - $1.88M (May 13). The cross-chain aggregation protocol was drained through a routing vulnerability. Funds were converted to ETH and laundered through mixers. Small by May's standards, but meaningful: attacks on aggregator infrastructure have become their own category of threat.
THORChain - $10.8M (May 15). One of the main cross-chain protocols is on the victim list again. The attack ran simultaneously across nine networks: Bitcoin, Ethereum, BNB Chain, Base, Avalanche, DOGE, Litecoin, Bitcoin Cash, and XRP. The vulnerability was a bug in the Bifrost Attestation Gossip protocol that allowed the attacker to forge a node signature and gradually reconstruct the private key of an Asgard vault. ZachXBT flagged the attack first, PeckShield confirmed it. Trading was halted. Worth noting: THORChain has been the primary laundering rail in two of the year's biggest hacks - KelpDAO and Bybit. This time, it was the target itself.
Verus-Ethereum Bridge - $11.58M (May 18). An exploit targeting the validation logic in the bridge's Solidity code allowed the attacker to release assets on the Ethereum side without confirming backing on the Verus side. The attacker drained 1,625 ETH, 103.6 tBTC, and 147,000 USDC, ultimately converting everything into 5,402 ETH. The attacker's wallet was traced to a Tornado Cash seed.
Echo Protocol - $816K actually stolen / $76.7M minted (May 19). This one needs a separate explanation. The attacker illegally minted 1,000 eBTC worth $76.7 million, used them as collateral in the Curvance lending protocol, borrowed real assets, and exited with 384 ETH (\~$821K) through Tornado Cash. The $76.7 million figure represents the value of the unauthorized mint, not confirmed stolen funds. Echo suspended cross-chain activity, Curvance froze the affected lending market.
Three days, May 15 to 19. Three protocols. $23.2 million in real losses. One exploit every thirty-six hours.
Where This Fits
May is the continuation of a systemic problem that started in April. Across the first five months of 2026, DeFi losses from exploits surpassed $840 million, with April alone accounting for $651 million - the worst single month in the industry's history.
According to TRM Labs, North Korean hacking groups were responsible for 76% of all global crypto hack losses in the first four months of 2026. Lazarus Group and its TraderTraitor subgroup have been officially linked to the KelpDAO ($292M) and Drift Protocol ($285M) attacks in April. Attribution for the THORChain exploit remains open as of publication.
Bridges remain the most vulnerable point of the entire ecosystem. Eight major bridge incidents since January have collectively drained $328.6 million per PeckShield's mid-May tally. The pattern is consistent: either key compromise or forged cross-chain messages. Attackers are not looking for new vectors - they keep exploiting the same architectural weaknesses because those weaknesses have not been fixed.
May's numbers are not final. The month ends today. The 2026 security story is still being written.
Based on confirmed data, May's real losses amount to approximately $27 million - and with TAC Protocol returning funds and Verus recovering $8.5 million of the $11.58 million stolen, the net unrecovered losses are closer to $15-16 million. PeckShield and CertiK's full monthly report is expected on June 1-2.
Against the rest of 2026, the picture looks like this:
-\*\*January \*\*came in at $86 million,
-\*\*February \*\*at $26-37 million,
-\*\*March \*\*at $52 million,
-\*\*April \*\*exploded to a record $651 million driven by the two Lazarus Group attacks on Drift Protocol and KelpDAO, which together accounted for 89% of the month's losses. May, by preliminary figures, returns to the February-March range - a relatively quiet month after a catastrophic April. But "quiet" in 2026 means 14 confirmed incidents and $27 million in losses. The industry has simply adjusted to a different scale.
.png)

