Privacy infrastructure protocol Hinkal, the zero-knowledge settlement layer recently integrated into the Polygon wallet for shielded stablecoin transfers, has suffered a security breach estimated at around $820,000, with the attacker laundering the proceeds through Tornado Cash and THORChain at a pace that left almost no window for intervention.
The alarm was first raised by pseudonymous on-chain investigator Specter, who flagged the exploit and traced attacker-linked funds moving into laundering channels within the hour.
Blockchain security firm CertiK followed through on its alert system, publishing multiple warnings tracing suspicious outflows from the protocol’s contracts. At the same time, PeckShield and GoPlus Security issued their own alerts corroborating the fund movements. This rare four-firm pile-on underscores how quickly the laundering unfolded. Hinkal acknowledged the incident shortly after, confirming the team is aware of the activity.
A drain in identical 25,000 USDC tranches
On-chain records show the mechanics of the extraction. The attacker’s wallet, beginning 0xbB3f01a1 and ending 06c32fc20, first interacted with Hinkal’s pool contract (0x25e5e82f…bAdFca826) through a transaction labeled “Proofless Deposit” at block 25448306 on Ethereum.
What followed was a machine-like sequence. Across blocks 25448345 to 25448347, the Hinkal contract pushed out a rapid string of outbound USDC transfers to the attacker’s address, each for exactly 25,000 USDC, with at least 14 such transfers within the span of three blocks, or under a minute of chain time.
The uniform sizing and compressed timing point to a scripted exploit loop rather than manual withdrawals, a pattern that suggests the attacker found a way to withdraw repeatedly against a single deposit whose validity the contract failed to properly verify.
It should be stressed that none of the security firms has published a technical breakdown of the root cause yet. Until Hinkal or an independent auditor releases a full post-mortem, the possibilities range from a protocol-level proof verification flaw to compromised keys or malicious approvals, and the incident is best characterized as a reported exploit backed by a consistent on-chain trail.
The laundering playbook: Tornado first, THORChain second
After converting the stolen stablecoins into Ether, the attacker wasted no time. Etherscan data shows the wallet was seeded with two small incoming transfers of roughly 0.049 ETH and 0.040 ETH for gas, a classic pre-funding step, before the laundering began.
Between blocks 25448486 and 25448510, a window of roughly four minutes, the exploiter fired off at least 14 deposits into Tornado Cash: eleven deposits of 10 ETH and three deposits of 100 ETH, totaling a minimum of 410 ETH, worth approximately $700,000 per Specter’s tracking. Each deposit costs under $5 in fees, with transaction fees ranging between 0.0028 and 0.0029 ETH.
Then came the cross-chain leg. Roughly 35 minutes after the last Tornado deposit, at block 25448683, the wallet sent 44.6747 ETH to the THORChain router in a single “Deposit With” transaction.
The trail did not stop at the router: the ETH was swapped into native Bitcoin via THORChain, exiting the Ethereum ecosystem entirely. That final hop matters because it moves a slice of the proceeds beyond the reach of Ethereum-native freezing tools and any USDC blacklisting by Circle, leaving investigators to pursue the funds across two separate chains.
Combined, that is more than 454 ETH moved beyond easy traceability, bringing the total reported loss to approximately $820,000.
The split-denomination Tornado deposits, followed by a THORChain exit, mirror the laundering structure seen in this year’s largest incidents. THORChain was the primary off-ramp for the North Korea-linked KelpDAO bridge exploit, which drained $292 million in April, while structured 10 and 100 ETH Tornado batches have become the default first move for exploiters, as The Crypto Times documented in the KyberSwap attacker’s recent laundering run.
An uncomfortable irony for a privacy protocol
The breach carries a particular sting for Hinkal, a protocol whose entire pitch is compliant privacy. The project, backed by Draper Associates and others, runs Chainalysis KYT screening at the deposit layer specifically to block tainted wallets from entering its shielded pools, and in May it powered the launch of private USDC and USDT transfers inside the Polygon wallet, a flagship integration aimed at institutional payment flows.
That an attacker apparently bypassed the proof verification guarding those same pools, then turned to Tornado Cash, the unscreened mixer Hinkal positions itself as the compliant alternative to, is a scenario the protocol’s institutional partners will be watching closely.
Hinkal has not yet published a full post-mortem, and it remains unclear whether affected balances belong to the protocol, integrators, or end users, or whether any reimbursement is planned.
Another Entry in a Brutal H1 for DeFi
The exploit lands in the middle of the worst stretch for DeFi security on record. The first half of 2026 has already logged cumulative losses exceeding $1.1 billion, and this is the second exploit this week alone to end in Tornado Cash, following the $403,000 Edel Finance oracle manipulation attack on July 1.
With the funds already fragmented across a mixer and a cross-chain swap protocol, recovery prospects are slim. Security researchers consistently describe mixer entry as a near-terminal point for traceability, and THORChain has shown no willingness to freeze flagged flows even in nine-figure cases.
For now, the attacker’s remaining balance and any further movements from the 0xbB3f01a1 wallet remain the primary threads for investigators to pull.
Also Read: Velocity Defends Drift Rebrand After $295M Crypto Exploit
