Privacy-focused protocol Hinkal was exploited on July 3, 2026, in a rapid USDC drain flagged by CertiK and PeckShield-linked alerts. CertiK Alert identified suspicious activity involving the externally owned account 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20, which it said executed multiple “Transact” transactions after a “Proofless Deposit” to drain a Hinkal contract of about $800,000 USDC.
The loss was later tracked at approximately $820,000, with PeckShieldAlert citing Specter’s report on the exploit. Public tracing also identifies the affected Hinkal contract as 0x25e5e82f5702a27c3466fe68f14abdbbadfca826, while the attacker account matches the address highlighted in CertiK’s alert.
We have detected suspicious transactions involving @hinkal_protocol.
The EOA 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20 conducted multiple "Transact" transactions following a "Proofless Deposit" to drain a Hinkal contract of ~$800K USDC.
Stay Vigilant! pic.twitter.com/oUfyb0nKY3
— CertiK Alert (@CertiKAlert) July 3, 2026
Exploit Pattern Points to a Scripted Drain
The exploit appears to have centered on a “proofless deposit” sequence, a label used by CertiK to describe the suspicious entry point. On-chain reconstruction shows repeated 25,000 USDC withdrawals from the Hinkal contract to the attacker, clustered across Ethereum blocks 25448345 to 25448348 after earlier setup activity.
#PeckShieldAlert Specter has reported that @hinkal_protocol was exploited for ~$820K.
The exploiter deposited 410 $ETH (~$700K) into #TornadoCash and bridged 44.7 $ETH from Ethereum to Bitcoin bc1qr2sf…zn3w via #Thorchain pic.twitter.com/XHt6lQuPlU
— PeckShieldAlert (@PeckShieldAlert) July 3, 2026
The repeated withdrawal size and compressed timing suggest an automated exploit loop rather than manual transfers. At least 22 separate 25,000 USDC withdrawals were identified in one reconstruction, while earlier reports highlighted at least 14 identical withdrawals executed in under a minute.
Funds Routed Through Tornado Cash and Bitcoin
After the drain, the stolen USDC was converted into Ether, with 410 ETH deposited into Tornado Cash in 14 deposits. PeckShieldAlert also tracked 44.7 ETH bridged from Ethereum to Bitcoin through THORChain, while deeper transaction tracing identified the Bitcoin destination as bc1qr2sfkehuqgr0sp87sp25uzw79242523l26zn3w.
We are aware of reports regarding unusual activity involving USDC on Ethereum within Hinkal. No other chains are affected.
As a precautionary measure, the affected contracts have been paused while our engineering team investigates and analyzes the on-chain activity in full.
The…
— hinkal (@hinkal_protocol) July 3, 2026
Hinkal acknowledged reports of abnormal USDC activity on Ethereum and other chains, saying it had frozen affected contracts as a precaution while its engineering team investigated the on-chain activity. That response confirms awareness and mitigation steps, but it does not yet amount to a full technical post-mortem.
Update on the security incident:
The incident was isolated to a single smart contract on Ethereum. Deployments on all other chains were not affected.
As a precaution, all smart contracts remain paused while the investigation continues.
The team has identified a preliminary…
— hinkal (@hinkal_protocol) July 3, 2026
The most important unresolved issue remains the classification of the drained funds. Available alerts and public tracing identify USDC leaving a Hinkal contract, but they do not conclusively establish whether the losses came from user funds, integrator balances, protocol-owned liquidity or some combination of those categories.
Until Hinkal releases a formal incident report, the root cause and affected-party exposure remain open questions. What is already clear is that the exploit moved quickly from a suspected proof-verification failure into a laundering path that used Tornado Cash, THORChain and a final Bitcoin address within a compressed response window.
