Kinto was an Ethereum Layer-2 that faced a hack in July and then had to tragically announce shutdown in September 2025.
Kinto was an L-2 network branded as a “modular exchange” aiming to merge the best of centralized and decentralized finance. Launched with a strong compliance focus – including mandatory know-your-customer (KYC) checks – and features like built-in account abstraction and cross-chain liquidity, Kinto sought to bridge institutional finance and DeFi in a user-friendly way. Despite significant venture backing and early institutional participation, the project’s life cycle was a roller coaster, marked by a contentious launch, a severe exploit in July 2025, and an eventual shutdown by the end of that year.
In this article, we have a discussion on Kinto’s launch (and why it drew criticism), the hack that struck the project, and the ultimate decision to wind down operations, with technical details and statements from the team and community throughout.
Kinto: Launch, Vision, Features & Early Frustrations
Kinto was founded in early 2023 by Ramon Recuero (previously of Babylon Finance) and team, raising $5 million in seed funding to build “the first KYC’ed Layer 2” network . It positioned itself as a compliance-friendly Ethereum rollup built on Arbitrum’s Nitro tech stack, with the goal of bridging TradFi (traditional finance) and DeFi.
Kinto officially launched its mainnet in mid-May 2024, following a testnet phase. The protocol aimed to solve two major barriers to mainstream DeFi adoption, regulatory compliance and user experience. To address these, Kinto built permissionless KYC/AML enforcement and native account abstraction directly into its protocol.
One of its standout features was the Kinto ID NFT. Every KYC-approved user could mint a non-transferable NFT, which granted access to the network. This ensured strong Sybil resistance with a strict one-user-one-ID model.
Kinto also introduced several user-friendly tools. These included passwordless “passkey” logins, a built-in non-custodial smart wallet, and Musubi – its cross-chain liquidity management system. Musubi enabled seamless trading across Ethereum, Arbitrum, Base, and other chains. Ultimately, Kinto positioned itself as an institutional-grade DeFi platform. It aimed to combine the efficiency of centralized exchanges with the transparency and self-custody of DEXes.
By early 2025, Brevan Howard Digital had deployed $20 million in liquidity on Kinto. Yet, despite this major vote of confidence, concerns began to surface. Community members and early investors voiced skepticism about the project’s direction.
From the start, Kinto required rigorous KYC. Many crypto users saw this as a betrayal of decentralization principles. One observer noted that by courting institutions with full KYC compliance, Kinto risked alienating privacy-focused users.
The Token Launch
The token launch also disappointed many. Kinto had run a community program, “Engen,” from late 2023 until the mainnet launch. Early adopters received Engen soulbound tokens and promised $K governance token allocations. In February 2025, Kinto held the $K sale via its on-chain launchpad. By March 31, $K began trading on exchanges.
However, feedback was mixed, often critical. Some users labeled the launch underwhelming. A prominent crypto commentator, @SatyaXBT, described Kinto as “a terrible experience from the beginning.” He criticized the presale, the lower-than-expected launch price, and a troubled airdrop. This criticism came despite the project’s $20 million backing.
Kinto had released 33% of its 10 million token supply at launch. The goal was to avoid the inflated valuations seen in low-float launches. However, private sale investors had paid up to $10 per token. When $K started trading, it opened below these valuations. This immediately hurt investor sentiment.
The project’s heavy focus on regulation, combined with weak token momentum, triggered frustration within the community. Still, Kinto continued to build. By early 2025, it had tens of thousands of KYC-verified users. It also began listing innovative assets – such as tokenized stocks like Apple and Tesla on its modular exchange.
The July 2025 Hack: Proxy Contract Backdoor Exploit
Kinto’s journey hit a major setback on July 10, 2025, when a sophisticated smart contract exploit struck the network. The root cause was a zero-day vulnerability in the ERC-1967 proxy standard, a widely used upgradeable contract pattern from OpenZeppelin that Kinto had implemented.
Security researchers had recently discovered this flaw, later named the “CPIMP” proxy exploit. It allowed attackers to insert a malicious proxy admin, effectively creating a hidden backdoor. Alarmingly, block explorers still showed everything as normal, masking the threat. This wasn’t unique to Kinto. The vulnerability posed a risk to thousands of contracts across the industry. Other teams, like Berachain, received timely warnings and patched the issue.
However, Kinto was not notified before the vulnerability became public. As a result, attackers quickly exploited the weakness, within hours of the disclosure.
With access secured through the backdoor, the hacker illegally minted 110,000 new $K tokens – Kinto’s native asset. They then used these tokens to drain liquidity from key pools. Specifically, they withdrew funds from a Morpho lending vault and a Uniswap v4 pool, stealing approximately 577 ETH.
At the time, this was worth between $1.5 and $1.6 million USD. These reserves were completely lost.
The consequences were immediate and severe. The attacker dumped the 110,000 $K tokens on the market. This sudden oversupply caused the token’s price to crash by 90–95% within an hour, dropping from around $7.69 to just $0.50.
Market confidence collapsed. Nearly $13 million in market value vanished in the aftermath. The damage extended beyond the stolen ETH, investor trust took a major hit.
Technical Details Of The Hack
The exploit stemmed from a bug in the widely used ERC1967Proxy contract implementation. The attacker exploited this flaw to assign themselves as the proxy administrator for Kinto’s token contract. With this unauthorized access, they could mint new tokens out of thin air.
Block explorers like Etherscan made matters worse. Due to a front-end quirk, the malicious admin change went unnoticed, giving the attacker a covert window to execute their plan. Importantly, the exploit did not breach Kinto’s core smart contracts. The exchange, wallet, and bridge contracts remained intact. This wasn’t a traditional logic bug in Kinto’s codebase. Instead, it was an upstream vulnerability in a trusted library.
Founder Ramon Recuero clarified:
“The Kinto network, assets and wallet are not affected… This was a vulnerability in a proxy contract (ERC-1967) made worse by a bug in block explorers.”
In short, the attacker tricked the infrastructure controlling token supply. Once in control, they minted large amounts of $K, sold them quickly, and bridged the proceeds across chains to launder the funds.
Kinto brought in blockchain forensics teams, including ZeroShadow and Venn Build, to investigate. Authorities joined the effort as well. Based on early findings, Recuero stated that “all signs point to Lazarus”, the infamous North Korean state-sponsored hacking group. Given Lazarus’ involvement in several other major crypto hacks that year, this theory gained traction.
Kinto responded swiftly in communication, though execution proved more difficult. On July 11, Recuero posted on X (formerly Twitter) to apologize and accept responsibility:
“I know this is a really hard time… No matter the circumstances, it is all my fault and I take responsibility. Me and the team will do anything in our power to come back from this.”
Behind the scenes, the team entered a 36-hour ‘war room’ with security experts. But by that time, the damage had already been done.
To limit the fallout, Kinto froze $K trading and rolled out a recovery plan. They took a snapshot of token balances before the exploit and launched a new $KINTO token. This allowed them to restore user holdings to pre-hack levels.
They also raised $1.05 million in emergency loans from backers under an effort dubbed “Phoenix.” These funds helped replenish drained liquidity pools and kickstart trading once more.
By July 31, Kinto had relisted the revived $K token, aiming to repeg it around the original price of $7.48. Operations resumed.
In the weeks that followed, the token market showed signs of recovery. By mid-August 2025, $K briefly reached around $8, nearly reclaiming its pre-hack value. This bounce, however, could not erase the deeper damage.
Kinto Eventual Shutdown: Winding Down After Collapse
On September 7, 2025, less than two months after the exploit, Kinto’s founders announced they would shut down operations by September 30. In an X (formerly Twitter) thread and a Medium post titled “Time to face reality,” founder Ramon Recuero explained that the team had “exhausted every path” to keep going. He added, “every day we go on, the funds dwindle further.”
The July hack had inflicted heavy damage:
577 ETH (~$1.6M) stolen
$K token price destroyed
User confidence shattered
All this happened amid an already bearish crypto market.
Although Kinto briefly relaunched, it was running on borrowed time and borrowed money. The team had raised ~$1 million in debt to fund the Phoenix revival. But this added new liabilities, which deterred future investors. At one point, Kinto even secured a tentative $5 million post-hack commitment from Nimbus Capital, but that deal collapsed at the last minute.
As market conditions worsened, fundraising dried up. The team hadn’t been paid since July and was sinking deeper into debt. Recuero finally admitted:
“We have one responsible choice left: shut down cleanly and protect users/lenders as best as possible.”
Instead of letting Kinto limp forward in “zombie mode,” the team opted for a transparent, orderly wind-down.
The Shutdown Plan: Responsible, Public, and Transparent
Kinto communicated the shutdown clearly. Users were told to withdraw all assets by September 30. After that, any unclaimed funds on Kinto’s L2 would move into a perpetual on-chain claim contract, allowing retrieval at any time.
Because Kinto’s system required KYC, the team also addressed user privacy concerns. They confirmed that all identity documents – processed through services like Plaid and Onfido, would be deleted as vendor contracts ended.
The team also prioritized repaying creditors and hack victims. They consolidated the remaining $800,000 in treasury assets into a Foundation-controlled multisig (SAFE). This fund was dedicated to reimbursing Phoenix lenders, around 76% of their principal. These lenders had stepped up during the crisis, and the team aimed to make them as whole as possible.
In addition, Recuero launched a “goodwill grant” for users affected by the hack. Any address left with bad debt in the Morpho lending pool could claim $1,100. The goal was to fully compensate small lenders. Recuero even contributed $130,000 of his own money to this fund, an act of personal responsibility and goodwill.
If any of the 577 ETH stolen in the hack is ever recovered through law enforcement, those funds will first go to victims.
Despite the network’s closure, Kinto also promised to honor the upcoming ERA airdrop (scheduled for mid-October 2025). Eligible users would still receive their tokens.
Recuero summed it up:
“Plenty of teams vanish… We won’t. We’re doing this orderly and out in the open.”
Fallout and Backlash: Mixed Reactions from the Community
The community response was swift and polarized. Some users praised the transparency. But many were angry.
The shutdown news triggered a sharp 80% drop in $K’s price. It plummeted from $2.40 to under $0.50 in a single day. By early September, $K’s market cap had fallen to just $1 million, down from a $14.5 million August peak.
Panic set in. Token holders rushed to exit. Social media lit up with frustration and accusations. Some users even claimed Kinto had “rug-pulled” -launching, raising funds, and shutting down with insider profits.
Kinto’s team quickly refuted the allegations. They emphasized that neither the team nor seed investors had unlocked any tokens. Their entire $K allocations were still vesting and worthless after the crash. On X, the team fired back:
“Show how we made the money please. Team and investors have not unlocked a single token.”
This matched the tokenomics. The founding team’s tokens had been locked since June 2024 and were set to unlock in October 2025, after the shutdown date.
Still, bitterness lingered. On Twitter and Discord, early supporters called the project a “terrible experience”, from the bungled launch, to the devastating hack, and now the sudden death.
Some pointed to early red flags. One example: Kinto’s unsustainably high APYs, like 130% on USDC staking, raised concerns even before the hack. Others recalled Recuero’s previous project, Babylon Finance, which also shut down in 2022 after a major hack. That history didn’t inspire confidence.
The End of Kinto: A Painful Lesson for DeFi
Kinto’s closure on September 30, 2025 marked the end of a bold DeFi experiment.
The project began with high ambitions. It aimed to bridge traditional finance standards with crypto’s decentralized promise. It offered KYC, insurance, and “security-first” design. But even that wasn’t enough. A novel exploit and a breakdown in user trust proved fatal.
In the team’s final update, they acknowledged the failure:
“We didn’t achieve the outcome we hoped, but we’re choosing to face reality and close in a principled way.”
Kinto’s rise and fall now serves as a cautionary tale. It highlights the difficulty of merging compliance with decentralization—and the vital importance of rigorous security, even when using battle-tested components.
For users, investors, and builders, Kinto’s story offers hard-earned lessons. On Ethereum Layer-2s, where billions are at stake, trust is fragile, and resilience is everything.
