Hinkal Protocol Loses Nearly All TVL in $830K USDC Attack

  • The Hinkal breach removed almost every dollar held across its five supported chains.
  • CertiK traced the exploit to a proofless deposit followed by repeated Transact calls.
  • The attacker routed stolen funds through Tornado Cash and Thorchain within hours.

Within hours of breaching Hinkal on July 3, 2026, an attacker stole about $830,000 in USDC and routed the funds through mixing and cross-chain services. The theft removed nearly all value held by the privacy protocol, which had about $829,000 in total value locked, according to DeFiLlama.

CertiK Traces Attack to a Proofless Deposit

Blockchain security firm CertiK first flagged the attack and linked it to an externally owned account at 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20. The account interacted with one of Hinkal’s smart contracts. CertiK said the attacker made what it called a “proofless deposit” before executing several “Transact” calls. Those transactions allowed the account to drain more than $800,000 from Hinkal.

PeckShield later cited analysis from on-chain investigator Specter, which placed the loss near $820,000. Although the estimates differed slightly, both reports showed that the attack removed almost all protocol funds.

CertiK’s follow-up review found that the hacker converted the stolen USDC into Ether. The conversion allowed the attacker to move the assets through services supporting private and cross-chain transactions.

Hacker Moves Funds Through Tornado Cash

CertiK reported that the attacker deposited 410 ETH, worth about $700,000, into Tornado Cash. The Ethereum mixer remains under sanctions imposed by the United States government. PeckShield said another 44.67 ETH moved from Ethereum to Bitcoin through Thorchain. The funds reached a Bitcoin address beginning with bc1qr2sf, according to the security firm.

The transfers followed laundering methods that anti-fraud organizations have observed after other DeFi attacks during the past year. These methods include stablecoin conversions, cryptocurrency mixers, and cross-chain bridges.

A research article presented at the ACM Web Conference 2026 found that sanctioned mixers still provide anonymity for laundered assets despite stronger regulatory pressure. CertiK has also documented changes in Tornado Cash activity since United States sanctions began. The firm said hackers continue using the protocol alongside lawful users who seek transaction privacy.

CertiK reported that this shared use makes criminal activity harder for law enforcement and anti-money laundering organizations to identify within decentralized privacy systems. Can privacy protocols protect confidential transactions while preventing attackers from using the same infrastructure to conceal stolen assets?

Related: U.S. Transfers $606K in Bitfinex Hack Bitcoin to Coinbase, Sparks Sell-Off Speculation

Exploit Nearly Erases Hinkal’s TVL

Hinkal describes itself as an institutional-grade privacy layer for on-chain activity. It offers shielded addresses for swaps, transfers, and payments without publicly exposing wallet balances or trading counterparties.

The protocol operates on Ethereum, Arbitrum, Base, Polygon, and OP Mainnet. DeFiLlama reported that Hinkal held about $829,000 across those five blockchains when the attack occurred. Hinkal raised $5.5 million through seed and strategic funding rounds backed by Draper Associates, Quantstamp, and NGC Ventures, according to DeFiLlama.

One day before the breach, Hinkal announced a partnership with wallet infrastructure provider Turnkey. The agreement aimed to give Turnkey users access to Hinkal’s privacy features.

DeFiLlama listed Tornado Cash with $440 million in TVL, Railgun with $77.5 million, and Privacy Pools with $7.8 million. Hinkal ranked near the bottom of privacy protocols before the attack. Although the dollar loss remained smaller than many DeFi attacks, it almost matched Hinkal’s entire reported TVL. As of publication, Hinkal had not responded through its official X account or website.

Disclaimer: The information provided by CryptoTale is for educational and informational purposes only and should not be considered financial advice. Always conduct your own research and consult with a professional before making any investment decisions. CryptoTale is not liable for any financial losses resulting from the use of the content.

Related Articles

Back to top button