Hinkal Exploited for $820,000 as Hacker Funnels Stolen Funds through Tornado Cash
Hinkal, an on-chain privacy protocol, was exploited for approximately $820,000 in USDC. The attack occurred on July 3, 2026, and was flagged by blockchain security firm CertiK.
The hacker used an externally owned account to execute a 'proofless deposit' into one of Hinkal's smart contracts, allowing them to drain over $800,000 from the protocol. PeckShield reported that the actual amount lost by Hinkal was around $820,000 based on analysis by Specter.
The hacker quickly moved to hide their tracks, converting the stolen USDC into Ethereum (ETH) and depositing it into Tornado Cash, a sanctioned Ethereum mixer. Additionally, 44.67 ETH was reversed from the Ethereum blockchain to the Bitcoin blockchain through Thorchain.




