Hinkal privacy protocol exploited for $820,000 as attacker transferred stolen funds through Tornado Cash



On July 3, 2026, attackers stole approximately $830,000 from Hinkal, an on-chain privacy protocol, and used mixing and bridge services to transfer the stolen cryptocurrency within hours of the exploit.

The hack exacerbates the difficulty of DeFi privacy infrastructure. According to data from DeFiLlamaHinkal only had a total value of $829,000 locked (TVL) across five blockchains at the time of the attack, so almost all assets owned by the protocol were removed.

The attacker extorts Hinkal through an unprovable deposit flaw

The attack was reported by blockchain security firm CertiK. The hacker was found to have been using an account owned by a third party, with address 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20, and executed a number of “transaction” calls after executing what CertiK described as an “unverified deposit” to one of Hinkal’s smart contracts. CertiK mentioned on X That the hacker managed to drain more than $800,000 from Hinkal.

We have detected suspicious transactions involving @hinkal_protocol. EOA 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20 conducted multiple “transaction” transactions after a “deposit without proof” to drain Hinkal’s contract worth approximately $800,000. Be vigilant!

Peak Shield stated The actual amount of cryptocurrency Hinkal lost was approximately $820,000 based on an analysis by Specter, an investigator on the chain.

The hacker moved quickly to hide the criminal activity. CertiK follow-up analysis It showed that the hacker was able to convert stolen USDC into Ethereum (ETH).

The hacker deposited 410 ETH (about $700,000) into Tornado Cash, a popular Ethereum mixer that is now under sanctions by the US government, and 44.67 ETH was mirrored from the Ethereum blockchain to the Bitcoin blockchain through Thorchain, ending at a Bitcoin address starting with bc1qr2sf, According to Peak Shield.

Using Tornado Cash and cross-chain bridges to convert USDC to Bitcoin is one of the patterns of money laundering that anti-fraud organizations have observed during other DeFi monetization hacks that have occurred over the past year.

A Published research article ACM Web Conference 2026 showed that sanctioned cryptocurrency mixers continue to provide anonymity to laundered funds despite mounting pressure from government regulators to stop doing so.

certec It was also mentioned in a research report that the use of Tornado Cash has changed since the US government imposed sanctions. However, the protocol is constantly used by hackers and criminals in the same way as it is used by law-abiding individuals who value their privacy, making it difficult for law enforcement and anti-money laundering organizations to identify criminal activity occurring within the decentralized privacy infrastructure.

What does Hinkal do?

Hinkal It describes itself as an enterprise-level privacy layer for cross-chain transactions. The protocol allows users to create protected addresses and carry out swaps, transfers and payments without revealing wallet balance details or who they are trading with, on a public blockchain network. The protocol runs on Ethereum, Arbitrum, Base, Polygon, and OP Mainnet.

The protocol has raised $5.5 million through seed and strategic funding rounds from the following investors: Draper Associates, Quantstamp, and NGC Ventures, according to DefiLlama. Hinkal announced the day before the hack that it had partnered with Turnkey, a wallet infrastructure provider, to offer privacy features to Turnkey users.

Exploit scans almost all TVLs of Hinkal

Compared to other DeFi attacks we’ve seen in the news, this attack resulted in the theft of a relatively small amount of funds ($820,000). However, when compared to the total value of the protocol ($829,000), losing such a large portion of the protocol’s total value means that users have essentially lost their deposits.

Additionally, this type of attack on a DeFi protocol that focuses on the privacy of its users raises serious questions about how secure DeFi protocols are when it comes to implementing security measures for their smart contracts that process confidential transactions for their customers.

Hinkal’s closest competitors by TVL are Tornado Cash ($440 million), Railgun ($77.5 million), and Privacy Pools ($7.8 million), per DefiLlama. At TVL before the exploit, Hinkal was sitting near the bottom of the Privacy Protocol rankings.

As of press time, Hinkal has not posted a public response to the exploit on its official X account or website.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *