LATEST NEWS
SELECTED FOR YOU

Hinkal privacy protocol exploited for $820,000 as attacker funnels stolen funds through Tornado Cash

ByMicah AbiodunMicah Abiodun
3 mins read
  • An attacker exploited Hinkal, a DeFi privacy protocol, for roughly $820,000 in USDC on July 3, 2026, draining nearly all of the protocol’s total value locked.
  • The stolen funds were converted to ETH and laundered through Tornado Cash and Thorchain.
  • The incident raises fresh concerns about smart contract security in privacy-focused DeFi at a time when the sector faces both regulatory headwinds and persistent exploit risk.

On July 3, 2026, attackers stole about $830,000 USDC from Hinkal, an on-chain privacy protocol, and used mixing and bridging services to move the stolen cryptocurrency within hours of the exploit.

The breach compounds a difficult stretch for DeFi privacy infrastructure. According to data from DeFiLlama, Hinkal had only $829,000 total value locked (TVL) across five blockchains at the time of the attack, so almost all assets owned by the protocol were removed.

Attacker drains Hinkal through proofless deposit flaw

The attack was flagged by blockchain security firm CertiK. It was found that the hacker was using an externally owned account, with address 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20, and executing a number of “Transact” calls after performing what CertiK termed a “proofless deposit” to one of Hinkal’s smart contracts. CertiK reported on X that the hacker was able to drain over $800,000 from Hinkal.

We have detected suspicious transactions involving @hinkal_protocol. The EOA 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20 conducted multiple “Transact” transactions following a “Proofless Deposit” to drain a Hinkal contract of ~$800K USDC. Stay Vigilant!

PeckShield stated that the actual amount of cryptocurrency lost by Hinkal was approximately $820,000 based on an analysis by Specter, an on-chain investigator.

The hacker moved quickly to hide the criminal activity. CertiK’s follow-up analysis showed that the hacker was able to convert the stolen USDC into Ethereum (ETH).

The hacker deposited 410 ETH (approximately $700,000) into Tornado Cash, the well-known Ethereum mixer that is now under sanction by the US government, and 44.67 ETH was reversed from the Ethereum blockchain to the Bitcoin blockchain through Thorchain, ending at a Bitcoin address that began with bc1qr2sf, according to PeckShield.

The use of Tornado Cash and cross-chain bridges to convert USDC into Bitcoin is a pattern of money laundering that has been observed by anti-fraud organizations during other DeFi monetization hacks that occurred over the past year.

A research article published at the ACM Web Conference 2026 demonstrated that sanctioned cryptocurrency mixers continue to provide anonymity for laundered funds despite increased pressure from governmental regulators to stop doing this.

CertiK has also stated in a research report that Tornado Cash usage has changed since sanctions were imposed by the US government. However, the protocol is continually used by hackers and criminals in the same manner that law-abiding individuals who value their privacy use them, making it difficult for law enforcement and anti-money laundering organizations to identify criminal activity taking place within decentralized privacy infrastructure.

What Hinkal does

Hinkal has branded itself as an institutional-grade privacy layer for on-chain transactions. The protocol allow users to create shielded addresses and execute swaps, transfers, and payments without revealing the details of the wallet’s balance or who they are making trades with, on a public blockchain. The protocol works on Ethereum, Arbitrum, Base, Polygon, and OP Mainnet.

The protocol raised $5.5 million through seed & strategic fundraising rounds from the following investors: Draper Associates, Quantstamp, and NGC Ventures, according to DefiLlama. Hinkal announced on the day before the hack that they had entered into a partnership with Turnkey, a provider of wallet infrastructure, to offer Turnkey users privacy features.

Exploit wipes out nearly all Hinkal’s TVL

Compared to other DeFi type attacks we’ve seen in the news, this attack resulted in a relatively small amount of funds stolen ($820,000). However, when compared to the overall value of the protocol ($829,000), the loss of such a large portion of the total value of the protocol means that users have essentially lost their deposits.

Additionally, this type of attack on a DeFi protocol focused on the privacy of their users raises serious questions about how secure these DeFi protocols are when it comes to implementing security measures for their smart contracts that process confidential transactions for their customers.

Hinkal’s closest competitors by TVL include Tornado Cash ($440 million), Railgun ($77.5 million), and Privacy Pools ($7.8 million), per DefiLlama. At its pre-exploit TVL, Hinkal sat near the bottom of the privacy protocol rankings.

As of publication, Hinkal had not posted a public response to the exploit on its official X account or website.

 

 

The smartest crypto minds already read our newsletter. Want in? Join them.

FAQs

What is Hinkal and what was stolen?

Hinkal is a privacy protocol that lets users make confidential on-chain transactions across Ethereum and four other networks. An attacker drained approximately $820,000 in USDC from its smart contracts on July 3, 2026.

How did the attacker launder the stolen funds?

The attacker swapped the stolen USDC for ETH, deposited 410 ETH (around $700,000) into Tornado Cash, and bridged another 44.67 ETH from Ethereum to Bitcoin via Thorchain, according to CertiK and PeckShield.

How much of Hinkal's funds were affected?

Hinkal held approximately $829,000 in total value locked at the time of the exploit, according to DefiLlama, meaning the attack drained nearly the protocol's entire asset base.

Share this article

Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.

Micah Abiodun

Micah Abiodun

Micah Abiodun makes good use of his Environmental Engineering and Management (MSc) at Tallinn University of Technology (TalTech) to polish content and price prediction news at Cryptopolitan. Now on his 7th year in the crypto media space, he covers major cryptos, altcoins, DeFi, stablecoins, macro trends, and emerging tech.​​​​​​​​​​​​​​

MORE … NEWS
DEEP CRYPTO
CRASH COURSE