Introduction
May 2026 saw a continuation of significant security incidents across the cryptocurrency ecosystem, with attackers targeting a diverse range of infrastructure including cross-chain bridges, DeFi protocols, launchpads, prediction markets and liquidity providers.
Across the eleven major incidents analysed in this report, attackers stole approximately $124.9 million, highlighting the persistent threat posed by both technical vulnerabilities and operational security failures throughout the industry.
While substantial, May's losses were significantly lower than those observed in April 2026, when the month's largest incidents resulted in approximately $585.6 million in stolen funds. This represents a decrease of almost 79%, suggesting that although large-scale attacks remain common, May was characterised by a greater number of mid-sized incidents rather than a small number of exceptionally large breaches.
The attacks observed during May also reveal several notable shifts in attacker behaviour. Rather than focusing exclusively on traditional smart contract vulnerabilities, attackers increasingly targeted cross-chain verification mechanisms, privileged administrative access, operational wallets and other trust-based components of crypto infrastructure. Cross-chain bridges emerged as the most frequently targeted entity type, accounting for 42% of the major incidents reviewed, while private key compromises and access-control failures continued to demonstrate that operational security remains one of the industry's most significant challenges.
Taken together, the incidents analysed this month suggest that attackers are increasingly focusing on the systems that enable blockchain ecosystems to interact with one another, as well as the permissions and trust relationships that allow protocols to function. As interoperability infrastructure grows more complex and artificial intelligence continues to accelerate vulnerability discovery, these trends may represent an early indication of how the crypto threat landscape is evolving.
Major crypto attacks in May 2026
Trusted Volumes - 07/05/2026
Type: Access Control Exploit
The beginning of the month saw the DeFi protocol Trusted Volumes experiencing an exploit, stemming from a vulnerability in the protocol’s authorisation system which managed the list of addresses permitted to sign RFQ (Request-for-Quote) trading orders. The attacker discovered that the signer registration mechanism lacked adequate access controls, allowing them to add their own wallet as an authorized signer. Once recognized by the protocol as a legitimate liquidity provider, the attacker was able to generate fraudulent but validly signed orders that the smart contract accepted as genuine. This enabled the unauthorized transfer of assets held within TrustedVolumes' liquidity infrastructure, resulting in the theft of approximately $6.7 million in WETH, WBTC, USDT, and USDC. Unlike a flash-loan, oracle, or bridge exploit, the attack relied on privilege escalation through a smart contract access-control failure, effectively allowing the attacker to impersonate an approved market maker and execute malicious trades.
Impact: $5,900,000
TONTAC - 11/05/2026
Type: Cross-Chain Bridge Exploit
Several days later, the TAC Bridge was exploited. The attack involved a flaw in the bridge’s deposit verification process on the TON network. The attacker created counterfeit TON Jetton wallets that mimicked legitimate token wallets and then generated fraudulent deposit notifications that appeared valid to the bridge infrastructure. Because the bridge failed to verify that the deposit messages originated from the canonical wallet associated with the official token master contract, it incorrectly treated the fake deposits as legitimate. This allowed the attacker to trigger the minting of unbacked assets on the TAC side of the bridge without locking any real collateral on TON. As a result, approximately $2.85 million worth of assets, including USDT, BLUM, and tsTON, were fraudulently minted and withdrawn.
Impact: $2,850,000
Transit Finance - 13/05/2026
Type: Contract Logic Flaw
Just a couple of days later, DeFi DEX aggregator Transit Finance experienced an exploit when an attacker abused a vulnerability in the protocol's smart contract architecture that allowed user-controlled parameters to influence external contract calls. By crafting malicious calldata, the attacker was able to trigger unauthorized token transfers from wallets that had previously granted spending approvals to the Transit Finance contracts. Unlike a private key compromise, the attacker did not need direct access to user wallets; instead, they leveraged existing token allowances and insufficient input validation within the protocol's transaction routing logic to move assets without authorization. The exploit primarily affected users on BNB Chain and resulted in the theft of approximately $1.88 million worth of assets, including BNB, BUSD, USDT, and other BEP-20 tokens.
Impact: $1,880,000
Thor Chain - 15/05/2026
Type: Threshold Signature Scheme
In the middle of the month, THORChain experienced an exploit when an attacker leveraged a vulnerability in the protocol's GG20 Threshold Signature Scheme (TSS), the cryptographic system used by validator nodes to collectively manage and sign transactions from protocol vaults. According to THORChain's post-mortem, a malicious validator was able to participate in signing ceremonies and exploit a flaw that gradually leaked key material during the process. Over time, this allowed the attacker to reconstruct the private key controlling a protocol vault and generate valid signatures outside of the normal consensus process. Using the compromised key, the attacker executed unauthorized withdrawals from vaults holding assets across multiple blockchain networks, resulting in losses of approximately $10 million.
Impact: $10,000,000
Adshares Bridge - 17/05/2026
Type: Cross Chain Bridge Logic Exploit
Several days later, the Adshares Bridge experienced an exploit when an attacker abused weaknesses in the bridge's cross-chain verification mechanism to mint unbacked wrapped ADS (wADS) tokens on Ethereum. According to post-incident analyses, the attacker was able to submit fraudulent or invalid transaction references from the Adshares blockchain that were incorrectly accepted by the bridge as legitimate deposits. This enabled the creation of wADS tokens without the corresponding ADS being locked on the source chain. After minting the fraudulent tokens, the attacker sold them into Ethereum-based liquidity pools and converted the proceeds into other assets, resulting in losses of approximately $628,000. The incident is best classified as a cross-chain bridge validation exploit, specifically a proof verification failure that allowed unauthorized minting and withdrawal of bridged assets. Notably, the attacker later returned approximately 86% of the stolen funds to the project.
Impact: $628,000
Verus Coin Verus - Ethereum Bridge - 18/05/2026
Type: Cross Chain Bridge Logic Exploit
The following day, the Verus-Ethereum Bridge experienced an exploit when an attacker leveraged a sophisticated flaw in the bridge's cross-chain export and import validation logic. The attack began on the Verus blockchain, where the attacker successfully submitted specially crafted export transactions containing manipulated supplemental export data that was accepted by the network despite being effectively invalid. Once the relevant cross-chain notarizations were relayed to Ethereum, the attacker submitted a handcrafted import transaction to the Ethereum bridge contract. Due to a parsing inconsistency between how Verus and the Ethereum contract interpreted export data, the contract incorrectly treated supplemental data as a legitimate primary export and accepted fraudulent transfer instructions. This enabled the attacker to withdraw approximately $11 million worth of assets, including ETH, USDC, and tBTC, from the bridge without corresponding legitimate deposits.
Impact: $11,400,000
Echo Protocol - 19/05/2026
Type: Admin Key Compromise
Just a day after this, Echo Protocol experienced an exploit when an attacker gained access to a privileged administrator key and used it to grant themselves unauthorized minting permissions for eBTC, the protocol's synthetic Bitcoin asset. With these elevated privileges, the attacker minted approximately 1,000 unbacked eBTC tokens on the Monad network without depositing any corresponding collateral. The fraudulent tokens were then supplied as collateral to other DeFi applications, allowing the attacker to borrow and withdraw real assets, including WBTC. After extracting the funds, the attacker bridged assets to Ethereum, swapped them into other cryptocurrencies, and moved a portion through Tornado Cash in an apparent attempt to obscure the trail.
Impact: $76,700,000
MAP Protocol - 20/05/2026
Type: Cross Chain Bridge Logic Exploit
The following day, MAP Protocol experienced an exploit when an attacker abused weaknesses in the protocol's cross-chain message verification process to submit fraudulent bridge transactions. By exploiting flaws in how the bridge validated and processed cross-chain messages, the attacker was able to create unauthorized withdrawal requests that were accepted as legitimate by the bridge infrastructure despite lacking the corresponding locked assets on the source chain. This enabled the attacker to drain approximately $2.2 million worth of assets from the protocol's liquidity pools and bridge reserves.
Impact: $2,180,000
Polymarket UMA CTF Adapter contract - 22/05/2026
Type: Suspected Admin Key Compromise
Polymarket experienced a security incident when a private key associated with an internal operational wallet was compromised, allowing an attacker to gain unauthorized access to funds used for reward distribution through the platform's UMA CTF adapter. Unlike a traditional smart contract exploit, the attacker did not exploit a vulnerability in Polymarket's core protocol, prediction markets, or settlement infrastructure. Instead, the compromise was limited to an operational wallet, which enabled the attacker to repeatedly withdraw POL tokens over time. According to on-chain analysis, the attacker drained approximately $520,000 worth of POL before the incident was contained. Polymarket stated that user funds, market positions, and settlement mechanisms were unaffected.
Impact: $660,000
DXSale - 27/05/2026
Type: Private Key Compromise
Towards the end of the month, DxSale experienced a security incident that resulted in the theft of approximately $7.3 million from liquidity pools on BNB Chain. According to security researchers, the attack affected more than 1,400 liquidity pools associated with the platform, with the attacker subsequently consolidating stolen assets, including BNB, and transferring a portion of the funds to Binance deposit addresses. While detailed technical information regarding the root cause was limited at the time of reporting, the incident appears to have targeted infrastructure responsible for managing liquidity pool assets rather than individual user wallets. As a result, funds held within affected pools were drained and transferred to attacker-controlled addresses.
Impact: $7,300,000
Gravity Bridge - 30/05/2026
Type: Cross Chain Bridge Logic Exploit
To end the month, yet another cross chain bridge logic exploit took place. Gravity Bridge suffered an exploit where attackers abused weaknesses in the bridge's cross-chain validation process to execute unauthorized withdrawals of bridged assets. According to incident reports, the attacker was able to manipulate how the protocol verified cross-chain deposit information, allowing fraudulent withdrawal requests to be treated as legitimate despite lacking the corresponding locked assets on the source chain. This enabled the attacker to drain approximately $5.4 million worth of assets from the bridge's liquidity reserves. The exploit primarily affected infrastructure connecting the Ethereum and Cosmos ecosystems. According to Crypto Investigator Alexander Manev, this attack is a reminder that ‘in cross-chain infrastructure, the weak point is not always the code. Sometimes it is the signing logic, authorization layer, and operational security around the bridge’. The complexity of the infrastructure can increase the vulnerabilities open to be taken advantage of by attacking bodies.
Impact: $5,400,000
Key Findings and Trends
Ethereum was the most frequently targeted blockchain
As usual, Ethereum was the most frequently targeted blockchain in the incidents analysed, appearing in seven of the twelve attacks reviewed during the month. The network featured in incidents involving TrustedVolumes, THORChain, Adshares Bridge, Verus Bridge, Echo Protocol, MAP Protocol and Gravity Bridge. This is unsurprising given Ethereum's continued role as the primary settlement layer for decentralised finance, stablecoins, wrapped assets and cross-chain infrastructure. As the largest concentration of value within the crypto ecosystem, Ethereum remains an attractive target for attackers seeking both liquidity and accessibility.
Stablecoins were the Most Commonly Stolen Assets
USDT and USDC appeared more frequently than any other assets across the incidents analysed, featuring in more than half of the attacks. Bitcoin-related assets such as BTC, WBTC, tBTC and eBTC also appeared regularly, while ETH and WETH were present in the majority of large-scale exploits. This trend highlights the preference of attackers for highly liquid assets that can be rapidly exchanged, bridged across ecosystems and converted into other cryptocurrencies.
Stablecoins, in particular, offer attackers a means of preserving value without exposure to market volatility, making them a recurring target across a wide range of exploit types.
Cross-Chain Bridges Were the Most Frequently Targeted Entity Type
Cross-chain bridges represented the most frequently targeted category of entity in the dataset, accounting for nearly half of all recorded incidents. Despite comprising only a relatively small segment of the broader cryptocurrency ecosystem, bridge infrastructure was targeted more often than exchanges, launchpads, prediction markets, aggregators or other DeFi protocols. This finding reflects the strategic importance of bridges within the digital asset ecosystem, where they serve as gateways connecting multiple blockchains and often secure significant amounts of locked collateral.
Cross-chain infrastructure introduces unique security challenges because blockchains must somehow verify information originating from external networks. To achieve this, bridge protocols often rely on a combination of validators, relayers, signatures, message proofs, oracles and custom verification mechanisms. Each of these components introduces additional trust assumptions and potential points of failure. The bridge incidents observed during the month demonstrate how attackers are increasingly targeting weaknesses in these verification processes rather than attempting to compromise the underlying blockchains themselves.
Many modern bridge protocols are significantly more sophisticated than earlier lock-and-mint systems. Today's interoperability infrastructure often supports cross-chain messaging, smart contract execution, governance functions, wrapped assets and liquidity routing across multiple ecosystems. While these features improve functionality, they also increase complexity. The diversity of vulnerabilities observed in May suggests that complexity itself may be emerging as a significant security risk, creating opportunities for attackers to identify edge cases and unexpected interactions between protocol components.
Another factor that may be contributing to this trend is the increasing accessibility and capability of artificial intelligence tools. Identifying vulnerabilities in cross-chain infrastructure often requires analysing large codebases, understanding multiple blockchain architectures, tracing message flows and identifying subtle inconsistencies between systems. Tasks that once demanded significant time and expertise can now be accelerated through AI-assisted code review, vulnerability discovery and protocol analysis. The sophistication and diversity of bridge attacks observed during the month suggest that attackers may be benefiting from tools that allow them to identify weaknesses more efficiently. As AI capabilities continue to improve, it is likely that both defenders and attackers will gain access to increasingly powerful analysis tools, potentially accelerating the discovery of vulnerabilities in some of the most complex areas of crypto infrastructure.
While 42% of the top incidents this month were cross-chain bridge related, they were not responsible for the majority of financial losses. The five bridge-related attacks analysed resulted in approximately $22.5 million in losses, representing around 18% of the $124.9 million stolen across the top incidents of the month. This suggests that bridge infrastructure is being targeted more frequently than other sectors, but that attackers are often achieving larger individual payouts through other attack vectors, such as administrator key compromises and protocol-level exploits.
Privileged Access Remains a Critical Point of Failure
While cross-chain bridge exploits dominated the dataset, a significant proportion of incidents stemmed from compromised privileged access rather than flaws in protocol logic. Echo Protocol, Polymarket and DxSale all involved some form of private key, administrator credential or operational wallet compromise, while the TrustedVolumes exploit allowed an attacker to effectively elevate their privileges and impersonate an authorized market maker. Together, these incidents demonstrate that even as smart contract security continues to mature, the human and operational layers of crypto infrastructure remain highly attractive targets. In several cases, attackers did not need to break cryptography, manipulate markets or exploit complex protocol logic; they simply obtained or abused permissions that granted access to sensitive functionality. This highlights a growing need for stronger operational security controls, including multi-signature governance, hardware security modules, role-based access controls and continuous monitoring of privileged accounts.
Conclusion
Although total losses declined significantly compared to April, the incidents observed throughout May demonstrate that the cryptocurrency threat landscape continues to evolve rather than diminish. The attacks analysed this month resulted in approximately $124.9 million in losses and revealed a growing focus on the systems, permissions and trust relationships that underpin modern crypto infrastructure.
Cross-chain bridges emerged as the most frequently targeted category of entity, accounting for 42% of the major incidents reviewed. At the same time, administrator key compromises, operational wallet breaches and access-control failures remained responsible for some of the month's most impactful attacks. Together, these trends suggest that attackers are increasingly targeting the mechanisms that allow protocols, chains and users to trust one another, rather than relying solely on traditional smart contract vulnerabilities.
The diversity of targets observed throughout the month suggests that attackers are increasingly viewing the crypto ecosystem as an interconnected network rather than a collection of isolated protocols. While cross-chain bridges accounted for the largest share of incidents, significant attacks also affected DeFi protocols, liquidity providers, DEX aggregators, launchpads, BTCFi platforms and prediction markets. This breadth of targeting indicates that attackers are opportunistic and infrastructure-focused, seeking out systems that either concentrate value, control privileged permissions or facilitate the movement of assets across the ecosystem. As crypto infrastructure becomes more interconnected, vulnerabilities in any one component can have consequences that extend far beyond the directly affected protocol.
Looking ahead, the continued growth of cross-chain ecosystems, the increasing complexity of DeFi infrastructure and the rapid advancement of artificial intelligence are likely to reshape both attack and defence capabilities. As attackers gain access to more sophisticated tools for analysing protocols and identifying vulnerabilities, crypto organisations will need to invest not only in code security, but also in operational resilience, access management and continuous monitoring. The incidents of May 2026 suggest that the future of crypto security will be defined as much by the protection of trust relationships as by the protection of code itself.
All research content and accompanying reports are provided for informational purposes only and should not be relied upon as professional advice. Accessing these materials does not create any professional relationship or duty of care. Readers are encouraged to consult appropriately qualified professionals for guidance. We uphold the highest standards of accuracy in all the information we provide. For any questions or feedback, please contact us at contact@nominis.io.
.png)
.jpg)
