To truly grasp how damaging the May 2026 data breach is, you need to first look at what happened in April.
April 2026 saw a significant surge in crypto security breaches, making it the worst month on record since the large-scale Bybit hack in February 2025. Security firms CertiK and PeckShield reported a combined total of over $600 million lost across nearly 30 incidents. The majority of these losses stemmed from two major attacks. First, the Drift Protocol lost $285 million after a six-month social engineering campaign by North Korean hackers culminated in a swift exploit. Seventeen days later, Kelp DAO was hacked for $292 million when attackers bypassed the smart contract by overwhelming the system with traffic, forcing it to switch to a compromised backup and creating fake tokens. Multiple security experts, including TRM Labs and Elliptic, have linked both attacks to the Lazarus Group, a hacking organization associated with North Korea.
Together, Drift and Kelp DAO accounted for roughly 89% of April’s total losses.
Going into May, most people thought we wouldn’t see two major exploits like the ones that happened previously. That’s proven true – no single attack resulted in losses over $15 million. However, May didn’t bring the expected recovery. Instead, we saw a lot of smaller attacks – ranging from $2 to $12 million – happening constantly. These weren’t typical smart contract hacks, but rather attacks targeting different parts of the decentralized system’s infrastructure.
Honestly, as a crypto investor, I was pretty shaken up by what Manuel Aráoz, the founder of OpenZeppelin, recently said on X. He basically stated he thinks all of DeFi is currently unsafe. He pointed out that AI is now so good at finding flaws in code, and the risk is just too high – we, as the defenders, have to be perfect, while attackers only need to find one weakness to steal everything. Coming from *him*, and after seeing so many exploits lately, it really felt like a serious warning sign. It’s definitely made me rethink my risk tolerance in DeFi.
This difference is important. Our April report highlighted a concerning trend for 2026, describing it as a slow decline. The data from May now shows us exactly what that decline looks like in practice.
The May Ledger: Mapping the Damage
A review of confirmed security incidents following the May 2026 protocol shows that current threats are scattered and lack a clear pattern.
| Date | Protocol / Layer | Estimated Loss (USD) | Core Attack Vector |
|---|---|---|---|
| Apr 30 | Wasabi Protocol (Ethereum/Base/Blast) | ~$5,000,000 | Multi-chain operational exploit; triggered Berachain emergency alert. |
| May 7 | TrustedVolumes (1inch RFQ Pool) | $6,200,000 | RFQ proxy signature validation flaw; unauthorized signer registration. |
| May 11 | THORChain Core Vaults | $10,800,000 | GG20 threshold signature scheme side-channel leakage via rogue node. |
| May 17 | Verus–Ethereum Bridge | $11,580,000 | Source-side balance validation failure on cross-chain settlement. |
| May 18 | GitHub Developer Environment | Code Exfiltration | Poisoned Nx Console extension; lateral SSH credential harvesting. |
| May 21 | Polymarket UMA Adapter | $660,000 | Compromised six-year-old legacy automated hot wallet private key. |
| Various | CrossCurve Layers | ~$3,000,000 | Spoofed cross-chain contract messaging via Axelar-linked endpoints. |
| Various | SquidRouterModule (86 Safes) | $3,200,000 | Socially engineered third-party module utilizing on-chain plaintext code. |
| Various | RetoSwap / Haveno Core | $2,700,000 | Spoofed ACK message during Tor-based 2-of-3 multisig instantiation. |
| Various | StakeDAO Arbitrum Instance | $91,000 (Realized) | Private key compromise; 5.4T vsdCRV minted; capped by thin pool liquidity. |
While losses from major security incidents totaled around $52 million this month, according to DeFiLlama, that’s significantly less than in April. However, a wider look at security losses reveals a more concerning trend. CertiK reports that total losses so far this year have reached $1.1 billion across 185 incidents, suggesting that attacks are becoming more widespread rather than less frequent.
DeFiLlama’s Macro View: The $20B Capital Flight
To understand the situation in May 2026, it’s crucial to look at overall liquidity in the market. Since the beginning of the year, the total value of assets locked in DeFi (decentralized finance) has dropped by over $20 billion.
Ethereum, the leading platform for decentralized finance (DeFi) with 53.91% of all locked value, saw a significant drop of 17.91% – from over $56 billion to $46.17 billion – in just one month following the Kelp DAO security incident. Data from DefiLlama shows that, excluding Tron, all of the top 20 blockchain platforms experienced a decrease in their total value locked (TVL) during the same period.
- Mantle: Down 52.01% monthly.
- Ink: Down 34.80% monthly.
- Solana: Down 19.04% monthly.
- BNB Chain: Down 5.61% monthly.
From my research, what we’re seeing isn’t just a problem with one specific protocol or a single part of the crypto world. It’s a wider trend of money moving *out* of non-custodial platforms – meaning places where users fully control their assets. Instead, investors are clearly shifting funds into areas they see as safer. This includes things like tokenized real-world assets supported by established companies, stablecoins where reserves are publicly and independently audited, and even traditional exchange-traded funds (ETFs) that handle the technical side of things, removing the risks associated with smart contracts.
Anatomy of the Month’s Key Exploits
The attacks in May 2026 weren’t just random events; they clearly showed the weak points in the decentralized financial system.
1. Threshold Signature Implementations (THORChain)
A recent attack on THORChain, occurring between May 11th and 15th and totaling around $10.8 million, was considered exceptionally complex by several security experts. The protocol relies on a system called GG20, which distributes the creation of private keys among its validators. This means no single computer holds the complete key, enhancing security through a multi-party process originally developed by Binance and now used in many cross-chain systems.
The attackers didn’t crack the encryption itself. They found a flaw in how the software was built, which caused small bits of the secret key to leak out slowly during the signing process. They added a compromised computer to the network days before the attack and used it to collect enough of this leaked information to rebuild the main vault’s private key without directly accessing the vault.
As a researcher following this incident, I can report that the exploit resulted in a loss of around 36.75 Bitcoin and $7 million worth of tokens across several blockchains – Ethereum, BNB Chain, and Base. This impacted over 12,800 wallets. The protocol team responded by launching a recovery portal, funded with $10 million from their treasury, and set a claim deadline of June 4th. What’s particularly notable is that this recovery effort is the largest we’ve seen this year from a non-custodial protocol. Following the disclosure of the exploit, the price of RUNE dropped by 13 to 14%.
This raises a bigger concern: because GG20 is used in other systems, any bridge relying on the same technology now has to assume that sensitive information could be exposed. Essentially, these bridges are built with the understanding that a security breach is a possibility.
2. RFQ Proxy Authorization (TrustedVolumes)
On May 7th, a security breach called TrustedVolumes resulted in the theft of approximately $5.87 to $6.7 million worth of cryptocurrencies – including WETH, WBTC, USDT, and USDC – from a liquidity provider connected to 1inch. The attack exploited a vulnerability where anyone could add themselves as an authorized trader. The attackers then used outdated permissions from previous 1inch users to create fake trades that appeared valid.
Security firm Blockaid believes the person who attacked our system is the same one responsible for a similar attack on 1inch Fusion V1 in March. This means one attacker has stolen over $11 million in two attacks that targeted how different systems handle requests for quotes. The core 1inch system itself wasn’t broken into; the issue was with the independent security measures of TrustedVolumes.
3. Cross-Chain Bridge Validation (Verus, CrossCurve)
On May 17th, the Verus–Ethereum bridge suffered a loss of $11.58 million due to a critical oversight: it didn’t verify if the amount of funds being transferred matched the actual payout. Similarly, CrossCurve lost around $3 million because its system incorrectly accepted fake messages as genuine communications from another blockchain, Axelar. Both incidents stemmed from failures in properly validating information during cross-chain transfers.
As a researcher tracking these events, I can say that these two recent incidents, along with the $292 million loss from Kelp DAO in April, together mark the most costly series of failures we’ve ever seen involving bridge architectures. It’s a really significant event in terms of financial impact.
4. Modular Wallet Extensions (SquidRouterModule)
In May, 86 Safe wallets lost a total of $3.2 million due to a security flaw. These wallet owners had chosen to connect a third-party tool called “SquidRouterModule,” which the creators of Squid Router had already stated wasn’t officially part of their system. This tool used a simple, publicly visible code on the blockchain to approve transactions. An attacker exploited this weakness, gaining the ability to bypass the wallets’ normal security measures—which weren’t actually failing, because the attacker didn’t need their approval.
5. Legacy Key Hygiene (Polymarket)
On May 21st, a security breach involving the Polymarket UMA CTF Adapter resulted in the loss of over $660,000 worth of POL tokens. The cause was a surprisingly basic error: a private key that was six years old and still in use for automatically adding funds was hacked. The attacker quickly stole 5,000 POL tokens every 30 seconds and then moved the stolen funds through more than 15 different addresses using a service called ChangeNOW to hide the source.
Despite a security lapse, user funds were always safe and the core system for settling bets wasn’t compromised. However, Polymarket, a major prediction market platform processing $3.7 billion monthly, mistakenly continued to use an old, compromised private key from 2020 to access critical financial services in 2026. This type of error – a failure in key management – could happen no matter how thoroughly the platform’s underlying code is checked for bugs.
What Doesn’t Show Up in the Topline Numbers
In May, two events didn’t involve direct theft, but they could have a bigger impact on security throughout the rest of the year.
- The first is the StakeDAO incident, in which an attacker compromised a deployer private key on Arbitrum and used it to mint 5.4 trillion unbacked vsdCRV tokens — nominally $763 billion on paper. The attacker realized exactly $91,000 in profit, because thin AMM liquidity collapsed the swap output curve. The protocol was saved from a catastrophic outcome by market illiquidity, not by its own security architecture. The implication is uncomfortable: at higher liquidity depth, the same exploit becomes the largest theft in financial history.
- The second is the GitHub corporate breach of May 18–20, in which attackers exfiltrated approximately 3,800 internal repositories after a GitHub employee installed a poisoned version of the Nx Console developer extension. The compromise harvested SSH keys at scale. While GitHub stated there was no evidence of customer-data impact, the same threat actor had compromised employee devices at OpenAI, Mistral AI, and UiPath days earlier through similar open-source package poisoning.
The biggest risks to DeFi aren’t within the code itself, but in the tools and infrastructure used to create it. DeFi protocols rely on shared resources like open-source code, libraries, and development tools. If these foundational elements are compromised, attackers could sneak malicious code into a project *before* it’s even launched – and traditional on-chain security checks wouldn’t be able to find it.
The Laundering Pipeline: Where the May Money Went
In May 2026, every successful hack didn’t just involve stolen money – it also included attempts to disguise the source of those funds. By following the path of the stolen cryptocurrency, we can see how the systems used to launder it were developing and changing.
The dominant patterns observed across May 2026 incidents:
- THORChain proceeds were routed through the protocol’s own cross-chain infrastructure into Bitcoin and other base assets. The attacker leveraged the very system they had compromised as a laundering layer — a particularly cruel feature of the exploit.
- TrustedVolumes proceeds were converted entirely into Ether through a no-KYC exchange and fragmented across multiple wallets, with nearly $5.86 million still sitting unspent in identified wallets as of late May. A small portion — 10.2 ETH (~$23,735) — moved into Tornado Cash, and 0.45 ETH (~$1,053) into RailGun. The vast majority remains parked, suggesting the attacker is waiting for forensic attention to fade before moving the funds further.
- Verus bridge proceeds were moved into Ether and consolidated.
- Polymarket UMA proceeds were fragmented across more than 15 separate addresses and deposited into ChangeNOW, a non-custodial swap service that has become a preferred laundering tool because it requires no KYC and does not freeze funds in response to law enforcement notifications.
- RetoSwap proceeds were stolen as Monero — making any forensic recovery effectively impossible.
Money laundering operations expected in May 2026 are far more complex than those seen just a year earlier. Stolen funds are now commonly broken into small amounts and spread across many different accounts, using privacy tools like Tornado Cash, RailGun, ChangeNOW, and Monero. These funds are also held securely offline for weeks before being moved again. Companies specializing in tracking these transactions – such as TRM Labs, Chainalysis, Elliptic, and PeckShield – are facing an opponent who understands their techniques and has developed ways to avoid detection.
Compared to April, May has seen a significant drop in major enforcement actions related to cryptocurrency exploits. Last April, authorities froze $344 million in USDT on the Tron network and Arbitrum’s Security Council blocked $71 million in ETH connected to a hacker. This May, however, exploiters have been avoiding the same methods and platforms that were targeted in those April actions, so far resulting in no similar large-scale freezes.
The DPRK Continuity
Lazarus continued to make news in May, much like it did in April, though its activities were less prominent and focused on different areas.
As part of my research into cryptocurrency security threats, I’ve been analyzing data from CertiK’s recent reports. Their May 13th Skynet report on North Korean (DPRK) activity is particularly concerning. It shows that actors linked to North Korea are responsible for a staggering 55% of all crypto theft in 2026, even though they’ve only been involved in 12% of the actual incidents. Looking at data from January to mid-May 2026, we’ve seen around 185 incidents resulting in approximately $1.1 billion in total losses, and roughly $620.9 million of that can be directly attributed to North Korean actors. What’s really striking is that the Kelp DAO exploit, which amounted to $291 million, makes up almost half of the total losses we’ve linked to North Korea.
Recent events clearly show a consistent pattern of attacks. The April attack on Drift Protocol wasn’t a sudden event, but the result of six months of careful manipulation. The Kelp DAO attack didn’t even target the code itself, but compromised the underlying systems. We suspect the attacker who repeatedly targeted TrustedVolumes and 1inch Fusion V1 has ties to North Korea. Security experts believe North Korean groups were also behind the supply-chain attacks on companies like OpenAI, Mistral, and UiPath, which happened before the breach at GitHub. These incidents aren’t happening by chance; they’re connected.
North Korea has essentially turned cryptocurrency theft into a major source of income for the government. This has been a long-term, ongoing effort to earn money in foreign currency, especially given the strict international sanctions against the country. As of 2024, estimates show they’ve stolen around $6.75 billion in cryptocurrency through 263 separate attacks since 2016. If they continue at the current rate, they’re on track to steal over another billion dollars each year.
What May Tells Us About the Rest of 2026
Based on data from May 2026, we’ve identified three key points that should influence how security is approached by those setting rules, conducting audits, and managing investments throughout the second half of 2026.
As a crypto investor, I’ve noticed a big shift in where hacks are happening. It used to be that a smart contract passing an audit meant it was reasonably safe, but that’s just not true anymore. Every major exploit this past May targeted something *around* the core code – things like outdated permissions, old private keys, external tools the contract used, or even the systems connecting different blockchains. Getting a code audit is still important, but it’s definitely not enough to protect your investment these days. We need to look at the bigger picture now.
As a crypto investor, I’ve realized that the kind of problems we saw back in April – where one project’s failure ripples through the entire DeFi space – aren’t going away. We saw this firsthand with Kelp DAO’s issues causing a $190 million shortfall for Aave, and the THORChain exploit practically shut down cross-chain DeFi for a whole day. It’s scary to learn that some attackers are repeat offenders, and the SquidRouter exploit showed how relying on modular ecosystems can leave you vulnerable if security isn’t handled carefully. Basically, the very thing that makes DeFi so powerful – how everything connects and builds on each other – also means that even a single hack can have huge consequences for the whole system.
Security breaches now have severe financial consequences for projects. Data from Immunefi shows that a hacked token typically loses 61% of its value within six months, and rarely fully recovers. For example, the RUNE token dropped 13-14% immediately after a security issue was revealed in May. Larger hacks in April caused even more significant losses. Experts predict that by May 2026, the impact of these failures won’t be seen as temporary setbacks, but as a fatal blow for projects that don’t have substantial financial reserves.
Despite bracing for recovery after a turbulent April marked by significant security breaches, May’s data reveals a concerning trend. While the total financial losses appear small, the underlying issues are substantial. The vulnerabilities exposed – affecting areas like bridge security, data leaks, request for quote systems, wallet design, outdated keys, and supply chains – impact the core infrastructure of thousands of projects and fall outside the bounds of typical security checks. Unless these weaknesses are addressed, we can expect a continued pattern of slow, consistent financial losses from the system, happening in multiple ways each week, rather than one large-scale event.
Read More
- These Cartoon Reboots Totally Missed the Point of the Originals (& Went Downhill Fast)
- Gold Rate Forecast
- $292M KelpDAO Exploit: LayerZero Uncovers Single-Verifier Flaw in Massive Hack
- Total Football free codes and how to redeem them (March 2026)
- Top 5 Best New Mobile Games to play in May 2026
- Netflix’s Best Stranger Things Replacement Officially Takes America By Storm
- Zenless Zone Zero version 2.8 ‘New: Eridan Sunset’ update will release on May 6, 2026
- 6 Animated Movie Trilogies Where Every Entry Is Near-Perfect
- STARBUCKS STAND by BEAMS Channels Kenyan Coffee Heritage Into Its Latest Spring/Summer Wardrobe
- Maggie Smith’s sons “deeply touched” by huge honour to the late “national treasure”
2026-05-31 07:34