Attackers drained about $830,000 in USDC from Hinkal on July 3, nearly matching the privacy protocol’s total value locked across five blockchains. Blockchain security firm CertiK linked the exploit to an externally owned account that made repeated ‘Transact’ calls after completing a ‘proofless deposit.’ DeFiLlama placed Hinkal’s total value locked at about $829,000 before the attack.
CertiK identified the wallet as 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20 and said it removed more than $800,000 from a Hinkal smart contract. Meanwhile, PeckShield cited analysis from on-chain investigator Specter and placed the total cryptocurrency loss near $820,000, slightly below CertiK’s estimate.
After the theft, the attacker converted the stolen USDC into Ether and quickly transferred the funds through privacy and cross-chain services. CertiK said the wallet deposited 410 ETH, worth about $700,000, into Tornado Cash, an Ethereum mixer under United States sanctions.
Separately, PeckShield reported that the attacker sent 44.67 ETH through Thorchain and converted it into Bitcoin. The funds reached an address beginning with bc1qr2sf. The transfers followed a laundering method that anti-fraud groups have observed after other DeFi exploits. Attackers often combine mixers and bridges to conceal transaction routes.
A research article presented at the ACM Web Conference 2026 found that sanctioned cryptocurrency mixers still provide anonymity despite growing pressure from government regulators.
CertiK has also reported that criminals and Legitimate privacy-focused users continue using Tornado Cash. This overlap complicates efforts to separate illicit transactions from legitimate activity.
Read More: Crypto Hack Losses Fall 7% in June as Humanity Protocol Leads With $36M Breach
Hinkal markets an institutional-grade privacy layer that lets users create shielded addresses and conduct swaps, transfers, and payments without exposing balances or trading counterparties. The protocol operates across Ethereum, Arbitrum, Base, Polygon, and OP Mainnet. These networks allow Hinkal to offer privacy tools across several major blockchain ecosystems.
Hinkal raised $5.5 million through seed and strategic funding rounds involving Draper Associates, Quantstamp, and NGC Ventures, according to DeFiLlama. One day before the exploit, Hinkal announced a partnership with wallet infrastructure provider Turnkey. The companies planned to provide privacy features to Turnkey users.
The attack occurred while Hinkal ranked near the lower end of privacy protocols by TVL. DeFiLlama listed Tornado Cash at $440 million and Railgun at $77.5 million. Privacy Pools held about $7.8 million, while Hinkal held about $829,000 before the exploit removed nearly all value associated with the protocol.
The Hinkal exploit drained about $830,000 in USDC, nearly matching the protocol’s total locked value. The attacker converted the funds into ETH and routed them through Tornado Cash and Thorchain. Users should monitor official updates and review the risks linked to privacy-focused DeFi platforms.