Crypto Hacker Cashes Out $31M via Tornado Cash Year After Radiant Hack

The Radiant exploiter’s recent activity demonstrates a carefully orchestrated money laundering strategy that prioritizes patience over speed. On October 31, 2025, the attacker transferred approximately 5,411.8 ETH to Tornado Cash, worth roughly $20.7 million at the time. This followed a similar movement nine days earlier, when approximately 2,834.6 ETH ($10.8 million) entered the same mixer. Security analysts from firms like CertiK noted that neither transaction appeared hurried, instead showing signs of a sophisticated operator testing liquidity and compliance timing while parceling deposits into common Tornado Cash denominations that are both inexpensive to blend and difficult to trace.

The laundering process follows a predictable but effective pattern: funds move from Layer 2 networks like Arbitrum and BNB Chain back to Ethereum via bridges where liquidity is deepest, followed by swaps that consolidate balances into ETH to prepare for the mixing process. The October 22-23, 2025 tranche provides a clear example, with CertiK flagging 2,834.6 ETH in Tornado deposits and noting that 2,213.8 ETH had arrived via the Arbitrum bridge from EOA 0x4afb, while the remainder came from DAI conversions. This modular approach to money laundering, using standard denominations that match Tornado pool norms, creates significant challenges for investigators attempting to trace the funds.

The current money laundering activity traces back to October 16, 2024, when Radiant’s lending pools on Arbitrum and BNB Chain were drained of approximately $50 million to $58 million. Early technical post-mortems from security firms including Halborn converged on a simple but devastating conclusion: the breach resulted from an operational compromise involving keyholders and approvals that allowed an attacker to push malicious transactions through Radiant’s multi-signature process. The project employed a three-out-of-eleven scheme for sensitive actions, a broad signer set that improved availability but dramatically widened the target area for device compromise and social engineering attacks.

Security analysis reconstructed how approvals and device hygiene created windows that the attacker exploited, with Radiant’s own incident updates providing the timeline and scale details. Later reporting suggested that a state-backed group used impersonation tactics to gain access, a claim that Radiant echoed as the situation stabilized. The incident’s magnitude was such that, as CryptoSlate reported at the time, October 2024’s total exploit losses fell to approximately $116 million, with Radiant’s breach accounting for nearly half of that monthly figure. This demonstrates how a single cross-chain breach can significantly impact an entire month’s risk profile, even when the broader DeFi environment appears relatively calm.

The ongoing money laundering through Tornado Cash reveals critical security lessons for the DeFi ecosystem. The exploiter’s slow-bleed strategy, rather than attempting a single large exit, demonstrates sophisticated understanding of compliance detection mechanisms. By using bridge hops from Arbitrum or BNB Chain to bring balances into Ethereum’s deepest liquidity pools, followed by DEX rotations to convert inventory into ETH for efficient Tornado entries, the attacker maximizes obfuscation while minimizing detection risk. Batching into standard denominations further fractures the public blockchain graph into fragments that are prohibitively costly to stitch together during investigations.

Despite these challenges, compliance teams continue to monitor such activities by clustering addresses around shared gas patterns and timing, matching deposits to withdrawal windows, and watching for telltale peel chains that start small, spread wide, then aggregate near target venues. The current legal environment creates a pragmatic approach, with courts narrowing the government’s broadest theories regarding sanctioning decentralized software while prosecutors have achieved mixed results in cases related to mixers. This has resulted in a gray zone where privacy tools continue operating, and exchanges increasingly rely on behavior-driven controls rather than blanket labels.

For DeFi users and builders, the Radiant incident provides concrete lessons about design choices carrying significant financial consequences. Bridges and routers concentrate both value and failure modes, making them attractive targets for exploiters during both attacks and exit strategies. Multi-chain applications require established procedures for halts, allowlist management, and liquidity snapshots rather than ad hoc improvisation during crisis response. Radiant’s documentation shows how their response tightened over time, but the costs of that learning curve were substantial because the attacker maintained the initiative throughout the process.

The continued movement of funds through Tornado Cash represents the tail of the same distribution that began with the October 2024 breach. The operator persists because the financial rails continue to operate effectively, highlighting the need for hardened keyholder procedures, narrower approval mechanisms, real-time bridge monitoring, and organizational cultures that treat signer devices as crown jewels. Security experts anticipate the Radiant exploiter will likely continue employing the same playbook until market conditions or regulatory enforcement changes, with more Tornado deposits arriving in familiar sizes and additional bridge activity emerging from addresses linked to the original attack paths.

The broader market consequence is predictable: every patient exit of this nature reduces confidence in cross-chain abstractions and pushes development teams to audit not just code but operational security practices. While users chase yield across networks because the experience feels seamless, the most skilled thieves understand precisely where the security seams are hidden. Eventually, a clean exit will likely ping a regulated venue, and compliance desks will weigh timing and behavioral heuristics against customer narratives, but the damage to market confidence and the lessons about operational security will remain long after the final stolen ETH is laundered.