Friday, July 3, 2026

Hinkal Protocol Drained of $820K in Automated Exploit

Cyberpunk-style header of Hinkal breach with funds draining through Tornado Cash and THORChain, neon glow.

Privacy-focused protocol Hinkal was exploited on July 3, 2026, in a rapid USDC drain flagged by CertiK and PeckShield-linked alerts. CertiK Alert identified suspicious activity involving the externally owned account 0xbB3f01a1b1C68F3DEB36C55342b5F5706c32fc20, which it said executed multiple “Transact” transactions after a “Proofless Deposit” to drain a Hinkal contract of about $800,000 USDC.

The loss was later tracked at approximately $820,000, with PeckShieldAlert citing Specter’s report on the exploit. Public tracing also identifies the affected Hinkal contract as 0x25e5e82f5702a27c3466fe68f14abdbbadfca826, while the attacker account matches the address highlighted in CertiK’s alert.

Exploit Pattern Points to a Scripted Drain

The exploit appears to have centered on a “proofless deposit” sequence, a label used by CertiK to describe the suspicious entry point. On-chain reconstruction shows repeated 25,000 USDC withdrawals from the Hinkal contract to the attacker, clustered across Ethereum blocks 25448345 to 25448348 after earlier setup activity.

The repeated withdrawal size and compressed timing suggest an automated exploit loop rather than manual transfers. At least 22 separate 25,000 USDC withdrawals were identified in one reconstruction, while earlier reports highlighted at least 14 identical withdrawals executed in under a minute.

Funds Routed Through Tornado Cash and Bitcoin

After the drain, the stolen USDC was converted into Ether, with 410 ETH deposited into Tornado Cash in 14 deposits. PeckShieldAlert also tracked 44.7 ETH bridged from Ethereum to Bitcoin through THORChain, while deeper transaction tracing identified the Bitcoin destination as bc1qr2sfkehuqgr0sp87sp25uzw79242523l26zn3w.

Hinkal acknowledged reports of abnormal USDC activity on Ethereum and other chains, saying it had frozen affected contracts as a precaution while its engineering team investigated the on-chain activity. That response confirms awareness and mitigation steps, but it does not yet amount to a full technical post-mortem.

The most important unresolved issue remains the classification of the drained funds. Available alerts and public tracing identify USDC leaving a Hinkal contract, but they do not conclusively establish whether the losses came from user funds, integrator balances, protocol-owned liquidity or some combination of those categories.

Until Hinkal releases a formal incident report, the root cause and affected-party exposure remain open questions. What is already clear is that the exploit moved quickly from a suspected proof-verification failure into a laundering path that used Tornado Cash, THORChain and a final Bitcoin address within a compressed response window.

Scroll to Top
Chain Report
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.