$51.9 Million Stolen in May 2026. Bridges Bled. Keys Leaked. Code Broke.

April had Lazarus. May had something worse, ordinary attackers, exploiting ordinary failures, draining $51.9M from 28 protocols across 13 chains in 31 days. No sophisticated social engineering. No months-long infiltration campaigns. Just code that shouldn’t have shipped, keys that shouldn’t have had unilateral authority, and bridges that accepted whatever they were given.

The baseline rate of loss from routine attacks is now holding above $50M per month. YTD losses through May: $847.6M.

Bridges Were the Story

Four bridge incidents. $28.2M drained. 54% of all May losses from a single attack category.

THORChain lost $10.7M on May 15 when a malicious node spent two days in routine signing ceremonies, exploiting a GG20 cryptographic library that hadn’t been patched since CVE-2023–33241 was published in 2023. The attacker reconstructed the vault’s full private key offline and swept 10 chains simultaneously. Verus Bridge lost $11.5M two days later when its cross-chain proof verification accepted a forged payload as legitimate collateral. Adshares fell to the identical bypass the day before for $628K. Same root cause, 24 hours apart, $12.1M combined.

Gravity Bridge closed the month with $5.4M lost to denom-to-ERC20 mapping poisoning: the attacker minted free Osmosis tokenfactory tokens, convinced Gravity’s validators to map them to real USDC, USDT, WETH, and PAXG contracts, then withdrew real custody assets at zero principal cost.

The Rest of the Damage

Six private key compromises totaling $5.4M. Not a single one required breaking cryptography. StablR had no multisig. Polymarket lost an operator key. Unprotected keys with unilateral authority over protocol funds: a pattern that keeps producing the same results.

New Market Trading lost $3.78M to a confused deputy flaw in a Gnosis Safe module that had been live and exploitable for three months. One missing require(msg.sender == delegate) check. 88 user Safes drained in under 15 minutes.

TrustedVolumes lost $5.87M in a single transaction through three chained authorization bugs in a 1inch RFQ proxy: permissionless signer registration, broken replay protection, and a caller-controlled inventory address passed directly to transferFrom.

The Pattern

May 2026 didn’t produce a novel attack class. It produced the same three: bridge infrastructure failures, protocol logic bugs, and unprotected keys. Across 28 protocols. In 31 days. The attackers aren’t getting more sophisticated. The industry just keeps giving them the same openings.

Track all May 2026 exploits and live attack data on QuillMonitor.

$51.9 Million Stolen in May 2026. Bridges Bled. Keys Leaked. Code Broke. was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.