How this millionaire crypto hacker continues to freely cash out a year later

On Oct. 31, 2025, the Radiant exploiter transferred roughly 5,411.8 ETH to Tornado Cash, a transfer price roughly $20.7 million.

Nine days earlier, the identical cluster had moved roughly 2,834.6 ETH, equal to $10.8 million, after staging funds throughout chains and thru swaps earlier than the mixer.

Neither burst seemed hurried. Both seemed like a cautious operator testing liquidity and compliance timing, parceling deposits into widespread Tornado denominations which can be cheap to mix and annoying to hint.

How the Radiant hack occurred

Radiant’s story begins on Oct. 16, 2024, when its lending swimming pools on Arbitrum and BNB Chain had been drained of about $50 million to $58 million. Early technical post-mortems converged on a easy however devastating level.

The breach was due to an operational compromise involving keyholders and approvals that allowed an attacker to push malicious transactions via a multi-signature course of. Security companies described signers being induced to approve the fallacious calls.

The venture had a three-out-of-eleven scheme for delicate actions. That broad signer set improved availability however widened the goal space for machine compromise and social engineering. Analysis from Halborn and others reconstructed how approvals and machine hygiene created home windows that the attacker exploited, whereas Radiant’s personal incident updates mounted the timeline and scale.

Later reporting instructed that a state-backed group used impersonation to achieve entry, a declare Radiant echoed because the mud settled.

CryptoSlate coated the fallout on the time via a crime development lens. The report famous that October’s complete exploit losses fell to roughly $116 million, and that Radiant’s incident accounted for practically half of that month-to-month determine, putting an outsized share of the ache in a single place.

That framing issues as a result of it reveals how a single cross-chain breach can considerably impression a month’s threat profile, even when the broader surroundings seems calm.

What adopted over the subsequent year set the sample seen right this moment. Funds moved out of L2s and again to Ethereum via bridges the place liquidity is deepest. Swaps consolidated balances into ETH to put together for the blending course of.

The October 22-23, 2025, tranche supplies a clear instance. CertiK flagged 2,834.6 ETH in Tornado deposits and famous that 2,213.8 ETH had arrived through the Arbitrum bridge from EOA 0x4afb, with the rest sourced from DAI conversions.

The Oct. 31 burst elevated the working complete by one other 5,411.8 ETH, with modular deposits that match Tornado pool norms. The chain is public, the route is predictable, and the incentives encourage endurance over spectacle.

What the brand new laundering bursts reveal

The latest mixer exercise reads like a sluggish bleed technique moderately than a single exit. Bridge hops from Arbitrum or BNB Chain deliver balances into the deepest swimming pools on mainnet. DEX rotations set the stock in ETH for probably the most environment friendly Tornado entries.

Batching into normal denominations fractures the general public graph into fragments which can be pricey to sew collectively. Compliance groups nonetheless see a lot regardless of that. They cluster addresses round shared gasoline patterns and timing, match deposits to withdrawal home windows, and look ahead to telltale peel chains that begin small, unfold vast, then combination close to a goal venue.

The posture is pragmatic as a result of the authorized surroundings rewards pragmatism. Courts have narrowed the federal government’s broadest theories relating to the sanctioning of decentralized software program. Prosecutors have won and lost varied circumstances associated to mixers.

The result’s a grey zone the place privateness instruments proceed to function, and exchanges depend on behavior-driven controls moderately than blanket labels. Investigations nonetheless catch exits. The friction simply shifts from software program to course of.

For customers and builders, the lesson is concrete. Design decisions carry cash outcomes. Bridges and routers focus worth and failure modes, which is exactly why exploiters use them on the best way out. Multi-chain apps require muscle reminiscence for halts, allowlist flips, and liquidity snapshots, moderately than advert hoc improvisation within the hour after a breach.

Radiant’s documentation reveals how the response tightened over time. The prices of that studying curve had been actual as a result of the attacker had the initiative. The present flows via Tornado Cash are the tail of the identical distribution.

The operator retains shifting as a result of the rails proceed to function. The correct response is hardened keyholder procedures, narrower approvals, real-time bridge monitoring, and a tradition that treats signer units like crown jewels.

The Radiant exploiter will doubtless proceed to make use of the identical playbook till circumstances change. More Tornado deposits will arrive in acquainted sizes. More bridge exercise will seem from addresses linked to the October 2024 paths. A clear exit will finally ping a regulated venue, and desks will weigh timing and heuristics in opposition to buyer narratives.

The consequence for the market is predictable. Every affected person exit like this reduces confidence in cross-chain abstractions and pushes groups to audit not simply code however operations. Users chase yield throughout networks as a result of the expertise feels seamless. The most expert thieves know exactly the place that seam is hidden.

The submit How this millionaire crypto hacker continues to freely cash out a year later appeared first on CryptoSlate.