The Verus bridge exploit is the 13th DeFi protocol to be hit in May 2026, pushing collective losses for the month past $20 million before the month is even complete. The pace of incidents reflects a broader pattern of sustained attack activity that has made 2026 a difficult year for DeFi security across the board. May's losses are building on the back of an April that set the year's benchmark for single-month damage, with protocols losing more than $606 million across 12 incidents. The KelpDAO bridge drain alone accounted for $292 million of that total, making it the largest single hack of 2026 so far and one of the most damaging individual DeFi exploits in recent memory.

The nature of the attacks is also evolving in ways that make them harder to prevent through conventional security measures. Rather than straightforward smart contract bugs, many of the most damaging recent incidents have involved bridge vulnerabilities, vault key compromises, and infrastructure-level weaknesses that require deep technical infiltration rather than simple code exploits. THORChain's recent breach involved a gradual leak of vault key material through a compromised threshold signature scheme, while the Verus attacker pre-positioned funds through a privacy tool hours before executing the drain. These patterns point to increasingly deliberate and methodical approaches to targeting DeFi infrastructure, and they raise serious questions about whether the industry's current security practices are keeping pace with the sophistication of the threats it faces.