Hinkal Protocol Exploit Drains $820K as Funds Move Through Tornado Cash
Cryptocurrency trading is speculative and your capital is at risk when you trade. We may earn affiliate commissions from some of the products on this page - at no extra cost to you.

Highlights:
- Hinkal Protocol lost about $820,000 after rapid USDC withdrawals.
- The attacker moved 410 ETH into Tornado Cash and 44.6747 ETH through THORChain.
- Affected contracts remain frozen as Hinkal investigates the transaction path.
Hinkal Protocol has been reportedly exploited for $820,000 after suspicious withdrawals of USDC from its Ethereum contracts. The privacy-focused DeFi protocol confirmed unusual activity and suspended certain contracts, while its engineers reviewed the transactions.
The initial alert came from on-chain analyst Specter, who tracked down the attack wallet and early related fund transfers. Shortly after, CertiK, PeckShield, and GoPlus Security issued similar publicly posted warnings, resulting in swift coverage of the incident within minutes.
On-chain data suggest a fast, automated withdrawal pattern. According to the security alerts, the wallet first made a “proofless deposit” into a Hinkal pool contract. After that interaction, the wallet triggered several “Transact” calls before it began receiving USDC.
Moreover, blockchain records showed at least 14 withdrawals of exactly 25,000 USDC. The transfers happened across three Ethereum blocks, and the drain finished in under one minute. The repeated size pointed to an automated loop rather than manual withdrawals.
#PeckShieldAlert Specter has reported that @hinkal_protocol was exploited for ~$820K.
The exploiter deposited 410 $ETH (~$700K) into #TornadoCash and bridged 44.7 $ETH from Ethereum to Bitcoin bc1qr2sf…zn3w via #Thorchain pic.twitter.com/XHt6lQuPlU
— PeckShieldAlert (@PeckShieldAlert) July 3, 2026
Stolen Funds Move Through Mixers and Bridges
The attacker quickly converted stolen USDC into ETH. Before that movement, the wallet received two small ETH transfers for gas. That step helped the address pay transaction fees before the laundering sequence started. At least 410 ETH was then deposited into the Tornado Cash wallet. The deposits involved split transfers of several 10 ETH transfers and three 100 ETH transfers. That mixer leg covered about $700,000, according to Specter and PeckShield.
However, the attacker did not stop with Tornado Cash. The wallet used the THORChain router to transfer 44.6747 ETH approximately 35 minutes after the final mixer deposit. These funds were then transferred from Ethereum to native Bitcoin. The cross-chain move made recovery efforts more difficult. Bitcoin movement changes the trail, but USDC issuers can freeze some stablecoin balances on Ethereum. Therefore, investigators have to track activity across multiple networks and privacy tools.
The total movement reached more than 454 ETH, matching the reported loss range near $820,000. CertiK said the attacker used multiple “Transact” calls after the proofless deposit, pending a root-cause report.
Meanwhile, Hinkal shared a statement on X noting that it had noticed unusual USDC activity across Ethereum. The team also said it froze affected contracts while engineers reviewed the transactions. It added that verified updates would follow after the review.
We are aware of reports regarding unusual activity involving USDC on Ethereum and other chains within Hinkal.
As a precautionary measure, the affected contracts have been frozen while our engineering team investigates and analyzes the on-chain activity in full.
The…
— hinkal (@hinkal_protocol) July 3, 2026
Hinkal Protocol Faces Scrutiny After Privacy Breach
Hinkal built its name around shielded transactions and compliant privacy tools. The project offers private swaps, transfers, and payments across Ethereum, Arbitrum, Base, Polygon, and OP Mainnet. The breach therefore carries extra weight for the protocol’s market position. Hinkal has promoted screening tools at the deposit layer, including Chainalysis KYT checks. However, the attacker moved funds into Tornado Cash, a mixer that Hinkal contrasts with its own compliance-focused model.
Hinkal Protocol recently powered private stablecoin transfers inside the Polygon wallet. The protocol also announced a Turnkey partnership shortly before the attack, targeting privacy features for wallet infrastructure users.
According to data from DefiLlama, Hinkal’s total value locked was $829,000 before the incident. As a result, the exploit removed nearly all tracked liquidity from the project. Meanwhile, the case adds another mark to a difficult year for DeFi security. Crypto2Community reported that June alone saw about $75.87 million lost across 40 major crypto hacks.
Best Crypto Exchange
- Over 90 top cryptos to trade
- Regulated by top-tier entities
- User-friendly trading app
- 30+ million users
eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong.







