A year following the radiant hack, the thief is siphoning funds once more. Bridges, DEX hops, then Tornado. Strategic deposits, calculated timing, with real money still in motion.
Cover art/illustration via CryptoSlate. The image includes combined content that may include AI-generated content.
On Oct. 31, 2025, the Radiant perpetrator moved approximately 5,411.8 ETH to Tornado Cash, valued at about $20.7 million.
Nine days earlier, the same entity transferred roughly 2,834.6 ETH, worth $10.8 million, after organizing funds across different chains and swaps before reaching the mixer.
Neither transaction seemed rushed. Both appeared as if executed by a meticulous operator testing liquidity and compliance timing, dividing deposits into standard Tornado denominations that are cheap to blend and hard to trace.
How the Radiant hack took place
Radiant’s story begins on Oct. 16, 2024, when its lending pools on Arbitrum and BNB Chain were depleted by about $50 million to $58 million. Early technical analyses pinpointed a simple yet devastating issue.
The breach resulted from an operational compromise involving keyholders and approvals permitting an attacker to execute malicious transactions through a multi-signature process. Security firms described signers being manipulated into approving incorrect actions.
The project used a three-out-of-eleven scheme for sensitive actions, which, while increasing availability, expanded the target area for device compromise and social engineering. Analyses from Halborn and others reconstructed how these approvals and device hygiene breaches created vulnerabilities that the attacker exploited, while Radiant’s incident updates clarified the timeline and scale.
Later reports suggested that a state-backed group used impersonation to gain access, a claim echoed by Radiant as the situation unfolded.
CryptoSlate covered the aftermath through a lens focused on crime trends. The report noted that October’s total exploit losses fell to around $116 million, with Radiant’s incident accounting for nearly half of that monthly figure, concentrating much of the impact in one area.
This perspective is important as it highlights how a single cross-chain breach can significantly alter a month’s risk profile, even in seemingly calm broader environments.
The events following over the next year established a pattern observable today. Funds moved from L2s back to Ethereum through bridges, where liquidity is plentiful. Swaps consolidated balances into ETH in preparation for mixing.
The October 22-23, 2025, tranche illustrates this pattern clearly. CertiK identified 2,834.6 ETH in Tornado deposits and noted that 2,213.8 ETH came via the Arbitrum bridge from EOA 0x4afb, with the rest sourced from DAI conversions.
The Oct. 31 transaction added another 5,411.8 ETH to the running total, with modular deposits aligning with Tornado pool standards. The chain is public, the route predictable, and incentives favor patience over spectacle.
What the new laundering activities reveal
The recent mixer activities suggest a gradual depletion strategy rather than a single exit. Bridge transfers from Arbitrum or BNB Chain bring balances into the mainnet’s deepest pools. DEX rotations convert inventories into ETH for the most seamless Tornado entries.
Breaking down into standard denominations fractures the public graph into difficult-to-connect fragments. Compliance teams still observe a lot, though. They cluster addresses around shared gas patterns and timing, match deposits to withdrawal windows, and watch for distinctive peel chains that begin small, spread broadly, then converge near a target venue.
This stance is pragmatic because the legal environment encourages practicality. Courts have narrowed the government’s broadest theories regarding the sanctioning of decentralized software. Prosecutors have both won and lost various cases related to mixers.
The result is a gray zone where privacy tools remain functional, and exchanges rely on behavior-driven controls rather than blanket labels. Investigations can still intercept exits, though friction has shifted from software to processes.
For users and developers, the lesson is tangible. Design choices have cash implications. Bridges and routers centralize value and failure modes, explaining why exploiters utilize them during escapes. Multi-chain applications necessitate muscle memory for pauses, allowlist adjustments, and liquidity snapshots, rather than improvised actions immediately after a breach.
Radiant’s documentation demonstrates how the response tightened over time. The cost of this learning curve was significant as the attacker had the advantage. The ongoing activities through Tornado Cash are the tail end of the same distribution.
The operator persists because the networks remain functional. The appropriate response involves strengthening keyholder procedures, narrowing approvals, real-time bridge monitoring, and cultivating a culture that treats signer devices as vital assets.
The Radiant exploiter will likely continue using the same approach until conditions change. More Tornado deposits will arrive in familiar sizes. Increased bridge activities will emerge from addresses linked to the October 2024 pathways. A successful exit will eventually prompt a regulated venue, where desks will assess timing and heuristics against customer narratives.
The market consequence is foreseeable. Such gradual exits reduce confidence in cross-chain abstractions and push teams to audit not just protocols but operations. Users pursue yields across networks because the experience seems seamless. The most skilled thieves know exactly where that seam is hidden.

Politics Editor