Tag: privacy protocol

  • Hinkal Protocol Drained of $830K in Proofless Deposit Exploit; Stolen Funds Laundered Through Tornado Cash and Thorchain

    Hinkal Protocol Drained of $830K in Proofless Deposit Exploit; Stolen Funds Laundered Through Tornado Cash and Thorchain

    On July 3, attackers exploited Hinkal, a privacy-focused DeFi protocol, draining approximately $830,000 in USDC — nearly the entire total value locked (TVL) across the five blockchains it supports. Blockchain security firm CertiK traced the breach to an externally owned account that repeatedly executed ‘Transact’ calls after completing a ‘proofless deposit.’ According to DeFiLlama, Hinkal’s TVL stood at roughly $829,000 just before the attack.

    How the Exploit Worked

    CertiK identified the attacker’s wallet as 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20 and reported that it siphoned over $800,000 from a Hinkal smart contract. Meanwhile, PeckShield, citing on-chain investigator Specter, placed the total loss near $820,000 — slightly lower than CertiK’s estimate. The exploit leveraged a vulnerability in Hinkal’s deposit mechanism, allowing the hacker to withdraw funds without providing the required proof.

    Laundering the Stolen Crypto

    After the theft, the attacker converted the stolen USDC into Ether and quickly moved the funds through privacy tools and cross-chain bridges. CertiK noted that the wallet deposited 410 ETH (worth about $700,000) into Tornado Cash, an Ethereum mixer currently under U.S. sanctions. Separately, PeckShield reported that the attacker sent 44.67 ETH through Thorchain, converting it into Bitcoin, which eventually reached an address beginning with bc1qr2sf. This laundering pattern — combining sanctioned mixers with decentralized bridges — is commonly observed in DeFi exploits.

    A research article presented at the ACM Web Conference 2026 found that sanctioned cryptocurrency mixers still provide effective anonymity despite increased regulatory pressure. CertiK has also noted that both criminals and legitimate privacy-conscious users continue to use Tornado Cash, complicating efforts to distinguish illicit transactions from lawful ones.

    Impact on Hinkal’s Institutional Privacy Model

    Hinkal markets itself as an institutional-grade privacy layer, enabling users to create shielded addresses and perform swaps, transfers, and payments without exposing balances or counterparties. The protocol operates on Ethereum, Arbitrum, Base, Polygon, and OP Mainnet. It raised $5.5 million in seed and strategic funding from investors including Draper Associates, Quantstamp, and NGC Ventures. Just one day before the exploit, Hinkal announced a partnership with wallet infrastructure provider Turnkey to bring privacy features to Turnkey users.

    At the time of the attack, Hinkal ranked near the bottom of privacy protocols by TVL. DeFiLlama listed Tornado Cash at $440 million, Railgun at $77.5 million, and Privacy Pools at about $7.8 million — while Hinkal held just $829,000 before the exploit drained nearly all of it.

    What’s Next

    The Hinkal exploit removed roughly $830,000 in USDC, nearly matching the protocol’s total locked value. Users are advised to monitor official updates from Hinkal and carefully assess the risks associated with privacy-focused DeFi platforms.