Crypto Bridge Exploits Hit $328.6M in May as Peckshield Tracks 8 Major Incidents

Crypto’s Worst Year for Cross-Chain Hacks

Blockchain information and information analytics steadfast Peckshield released a mid-May tally of eight bridge-related exploits that collectively drained $328.6 cardinal from cross-chain protocols truthful acold this year. The fig adds to what has go the worst play connected grounds for decentralized finance ( DeFi) portion simultaneously exposing a systemic vulnerability that the manufacture has yet to resoluteness fully.

Eight large exploits that person already happened done the archetypal fractional of May, per Peckshield

Cross-chain bridges enactment by locking tokens connected 1 blockchain and minting equivalent assets connected another, creating high-value onslaught surfaces wherever exploiters request lone compromise the bridge’s verification mechanics to summation entree to pooled liquidity. The structural hazard became undeniable successful April 2026, arsenic crypto’s most-hacked month connected record, with 30 abstracted incidents, a gait of astir 1 onslaught per day.

Two of the largest attacks came successful accelerated succession that month. KelpDAO’s Layerzero V2 rsETH way was exploited for astir $300 cardinal connected April 18, with an attacker extracting 116,500 rsETH from Ethereum’s OFT adapter without burning tokens connected the root chain. A reappraisal by Chainalysis recovered that Layerzero had acceptable a debased 1-1 RPC quorum default, meaning a azygous poisoned node could authorize fraudulent cross-chain messages. KelpDAO subsequently migrated to Chainlink’s Cross-Chain Token standard, publically blaming Layerzero for the infrastructure failure.

Days later, Drift Protocol suffered a $200 million-plus exploit connected its Solana-based infrastructure. A CertiK expert noted that the incidents reflected a high-stakes shift successful cross-chain cybercrime strategy, with attackers increasing much blase successful however they place and exploit span verification weaknesses.

Death by a Thousand Cuts

Smaller incidents person poured successful the months earlier and adjacent since, with IoTeX’s span being deed for astir $2 cardinal successful February done a private key exploit. Subsequently, TAC Protocol mislaid $2.8 cardinal successful aboriginal May successful what was aboriginal classified arsenic a achromatic chapeau incidental aft the hacker claimed a 10% bounty.

Transit Finance, a cross-chain aggregation protocol, was drained of $1.88 cardinal connected May 13 and astir recently, the Verus-Ethereum span mislaid astir $11.5 million, with the attacker’s wallet traced to a Tornado Cash seed.

Peckshield information had already shown full hack losses reaching $112.5 cardinal successful the archetypal 2 months of 2026 unsocial earlier April’s surge pushed cumulative losses beyond $750 cardinal done mid-April. With May’s incidents adding to that figure, 2026 is connected people to eclipse erstwhile records for DeFi losses.