On July 3, 2026, Hinkal — an on-chain privacy protocol for confidential stablecoin transfers — was drained of approximately $820,000 in USDC, close to its entire total value locked, with the proceeds laundered through Tornado Cash and THORChain within hours of the exploit.
What happened
Hinkal offers shielded, confidential transactions across five EVM networks — Ethereum, Arbitrum, Base, Polygon and Optimism. On July 3, an attacker extracted roughly $820,000 in USDC from Hinkal's contracts — nearly all of the approximately $829,000 in total value locked the protocol held across those chains, according to DefiLlama. Security firms CertiK and PeckShield flagged the drain on-chain, but no confirmed root cause or technical post-mortem had been published: the entry point could be a protocol-level flaw, a compromised key, malicious token approvals, or a front-end/infrastructure compromise. What is documented is the money trail — the attacker swapped the stolen USDC for ETH, deposited 410 ETH (around $700,000) into Tornado Cash, and bridged a further 44.67 ETH from Ethereum to Bitcoin via THORChain.
Aftermath
The laundering followed a standard obfuscation playbook: consolidate into ETH, break the trail through a mixer, then cross-chain the remainder into Bitcoin. At publication, no funds had been recovered, no attacker had been identified, and no official protocol post-mortem had been released. The incident is therefore recorded as a loss with an unconfirmed root cause — a status that itself matters, because small protocols frequently lack the audited breakdown that would let users judge whether the flaw was code, keys, or interface.
Why it matters
There is a sharp irony in a privacy protocol being drained and then laundered through privacy rails — the same mixing infrastructure Hinkal's users relied on for legitimate confidentiality became the attacker's escape route. The near-total-TVL wipe mirrors the existential risk faced by other confidentiality-focused projects such as Secret Network, and the Tornado Cash-plus-cross-chain-to-Bitcoin route is the same laundering pattern seen after larger thefts like KelpDAO. For a thinly-capitalised protocol, a single successful drain is not a dent — it is effectively the whole treasury, and without a published post-mortem, the broader lesson stays locked until the cause is confirmed.
Sources & on-chain evidence
- [01]cryptopolitan.comhttps://www.cryptopolitan.com/hinkal-privacy-protocol-exploited-for-820000-as-attacker-funnels-stolen-funds-through-tornado-cash/
- [02]cryptoadventure.comhttps://cryptoadventure.com/hinkal-reported-exploited-for-820k-as-funds-move-to-tornado-cash-and-bitcoin/