On Oct. 31, 2025, the Radiant exploiter transferred approximately 5,411.8 ETH to Tornado Cash, a move worth roughly $20.7 million.
Nine days earlier, the same cluster had moved approximately 2,834.6 ETH, equivalent to $10.8 million, after staging funds across chains and through swaps before the mixer.
Neither burst looked hurried. Both looked like a careful operator testing liquidity and compliance timing, parceling deposits into common Tornado denominations that are inexpensive to blend and annoying to trace.
How the Radiant hack happened
Radiant’s story begins on Oct. 16, 2024, when its lending pools on Arbitrum and BNB Chain were drained of about $50 million to $58 million. Early technical post-mortems converged on a simple but devastating point.
The breach was due to an operational compromise involving keyholders and approvals that allowed an attacker to push malicious transactions through a multi-signature process. Security firms described signers being induced to approve the wrong calls.
The project had a three-out-of-eleven scheme for sensitive actions. That broad signer set improved availability but widened the target area for device compromise and social engineering. Analysis from Halborn and others reconstructed how approvals and device hygiene created windows that the attacker exploited, while Radiant’s own incident updates fixed the timeline and scale.
Later reporting suggested that a state-backed group used impersonation to gain access, a claim Radiant echoed as the dust settled.
CryptoSlate covered the fallout at the time through a crime trend lens. The report noted that October’s total exploit losses fell to approximately $116 million, and that Radiant’s incident accounted for nearly half of that monthly figure, placing an outsized share of the pain in one place.
That framing matters because it shows how a single cross-chain breach can significantly impact a month’s risk profile, even when the broader environment appears calm.
What followed over the next year set the pattern visible today. Funds moved out of L2s and back to Ethereum through bridges where liquidity is deepest. Swaps consolidated balances into ETH to prepare for the mixing process.
The October 22-23, 2025, tranche provides a clear example. CertiK flagged 2,834.6 ETH in Tornado deposits and noted that 2,213.8 ETH had arrived via the Arbitrum bridge from EOA 0x4afb, with the remainder sourced from DAI conversions.
The Oct. 31 burst increased the running total by another 5,411.8 ETH, with modular deposits that match Tornado pool norms. The chain is public, the route is predictable, and the incentives encourage patience over spectacle.
What the new laundering bursts reveal
The recent mixer activity reads like a slow bleed strategy rather than a single exit. Bridge hops from Arbitrum or BNB Chain bring balances into the deepest pools on mainnet. DEX rotations set the inventory in ETH for the most efficient Tornado entries.
Batching into standard denominations fractures the public graph into fragments that are costly to stitch together. Compliance teams still see a lot despite that. They cluster addresses around shared gas patterns and timing, match deposits to withdrawal windows, and watch for telltale peel chains that start small, spread wide, then aggregate near a target venue.
The posture is pragmatic because the legal environment rewards pragmatism. Courts have narrowed the government’s broadest theories regarding the sanctioning of decentralized software. Prosecutors have won and lost various cases related to mixers.
The result is a gray zone where privacy tools continue to operate, and exchanges rely on behavior-driven controls rather than blanket labels. Investigations still catch exits. The friction just shifts from software to process.
For users and builders, the lesson is concrete. Design choices carry cash outcomes. Bridges and routers concentrate value and failure modes, which is precisely why exploiters use them on the way out. Multi-chain apps require muscle memory for halts, allowlist flips, and liquidity snapshots, rather than ad hoc improvisation in the hour after a breach.
Radiant’s documentation shows how the response tightened over time. The costs of that learning curve were real because the attacker had the initiative. The current flows through Tornado Cash are the tail of the same distribution.
The operator keeps moving because the rails continue to operate. The proper response is hardened keyholder procedures, narrower approvals, real-time bridge monitoring, and a culture that treats signer devices like crown jewels.
The Radiant exploiter will likely continue to employ the same playbook until conditions change. More Tornado deposits will arrive in familiar sizes. More bridge activity will appear from addresses linked to the October 2024 paths. A clean exit will eventually ping a regulated venue, and desks will weigh timing and heuristics against customer narratives.
The consequence for the market is predictable. Every patient exit like this reduces confidence in cross-chain abstractions and pushes teams to audit not just code but operations. Users chase yield across networks because the experience feels seamless. The most skilled thieves know precisely where that seam is hidden.