Crypto Hackers Stole $68 Million In May — But The Attacks Getting No Headlines Are Far More Terrifying

Blockchain security firm CertiK recorded $68.3 million in total crypto losses across May 2026 — making it the third month of the year to fall below the $100 million threshold — but the headline number obscures a darker and more personal dimension to the sector’s security crisis, as physical attacks on crypto holders simultaneously reached a pace that no firewall can stop.

In a post on X, CertiK noted that May’s losses represented a dramatic contraction from April’s $650 million — a month dominated by two catastrophic North Korea-linked exploits. The $68.3 million figure includes approximately $2.6 million lost to phishing attacks, while roughly $9.4 million was recovered or returned to affected treasuries, per CertiK’s data.

The month’s largest single exploit was the $11.5 million Verus-Ethereum Bridge attack on May 18, followed by $10.1 million stolen from THORChain through a vault mechanism exploit. Cross-chain bridges accounted for nearly 42% of total May losses — approximately $28.6 million — while code vulnerabilities drove roughly $45 million, or about 66% of the total, per CertiK.

The On-Chain Losses Are Only Part Of The Picture

The more unsettling dimension of May’s security environment sits entirely off-chain. A report published May 21 by Insurance Journal, written by Suvashree Ghosh and Isabelle Lee and drawing directly on CertiK data, documents a year of kidnappings, assaults, and armed home invasions targeting cryptocurrency holders that has fundamentally reshaped how the industry approaches personal security.

Physical attacks on cryptocurrency holders rose 75% in 2025, reaching 72 confirmed incidents and $41 million in known losses, according to CertiK data cited in the Insurance Journal report. The firm’s separate Skynet intelligence report recorded 34 verified physical attacks — known in security circles as “wrench attacks,” where victims are coerced into surrendering private keys or wallet access through force or intimidation — within just the first four months of 2026 alone, with estimated losses already surpassing $100 million globally, per MEXC’s reporting of the CertiK findings.

Jameson Lopp, co-founder of Bitcoin custody firm Casa, maintains a public database of such incidents that has tracked a roughly threefold increase in known wrench attacks between 2023 and 2025, per the Insurance Journal report. The figure is widely considered understated — kidnappings and ransom demands are frequently resolved privately and never publicly disclosed.

The Threat Environment Is Evolving

The industry’s defensive response reflects the scale of the shift. According to Insurance Journal’s reporting, the Bitcoin 2026 conference in Las Vegas saw the highest-profile speakers move through the venue with personal bodyguards.

A standing-room-only workshop taught attendees how to protect their holdings during a home invasion. At Paris Blockchain Week, guests were escorted by police motorcade to a VIP dinner and organizers doubled security around the two-day event.

CertiK senior blockchain investigator Natalie Newson warned that AI is accelerating the threat environment — not only through AI-assisted social engineering campaigns already documented in April’s North Korea-linked attacks, but through the broader weaponization of generative tools against crypto developers and infrastructure providers. Her immediate guidance to users: verify every URL and smart contract before interacting, and move idle assets entirely off exchanges into cold storage.

Year-to-date through May, the nascent sector has recorded $1.1 billion in total losses across 185 tracked incidents, with North Korea-linked actors responsible for approximately $620.9 million — or 55% of all stolen value despite carrying out only 12% of incidents, per CertiK’s mid-month Skynet report. The on-chain losses are significant. The physical ones are harder to quantify and harder still to defend against — and the gap between the two threat vectors is narrowing faster than most of the industry has acknowledged.

Cover image from Grok, BTCUSD chart from Tradingview