The Slow Bleed Strategy
It’s been over a year since the Radiant hack, and the money is still moving. In late October 2025, the exploiter transferred about 5,411.8 ETH to Tornado Cash, worth roughly $20.7 million. Just nine days earlier, the same entity moved another 2,834.6 ETH, equivalent to $10.8 million. Neither transaction looked rushed or panicked. They appeared methodical, like someone testing liquidity windows and compliance timing.
The deposits were broken into common Tornado denominations that are cheap to blend and expensive to trace. This isn’t a frantic exit—it’s a patient, calculated process. The operator seems to understand exactly how the system works and where the pressure points are.
How the Attack Unfolded
The story started back on October 16, 2024, when Radiant’s lending pools on Arbitrum and BNB Chain were drained of between $50 million and $58 million. Technical analysis pointed to a simple but devastating problem: operational compromise involving keyholders and approvals.
Radiant used a three-out-of-eleven multi-signature scheme for sensitive actions. That broad signer set improved availability but created more targets for social engineering and device compromise. Security firms like Halborn reconstructed how the attacker exploited approval processes and device hygiene. Later reports suggested state-backed actors used impersonation to gain access.
At the time, CryptoSlate noted that October’s total exploit losses were about $116 million, with Radiant accounting for nearly half of that figure. A single cross-chain breach can significantly impact an entire month’s risk profile, even when the broader environment seems calm.
The Laundering Pattern
Over the past year, a clear pattern emerged. Funds moved out of layer-2 networks back to Ethereum through bridges where liquidity is deepest. Swaps consolidated balances into ETH to prepare for mixing.
The October 22-23, 2025 tranche showed 2,834.6 ETH in Tornado deposits, with 2,213.8 ETH arriving via the Arbitrum bridge from EOA 0x4afb. The remainder came from DAI conversions. The October 31 burst added another 5,411.8 ETH using modular deposits that match Tornado pool norms.
The chain is public, the route is predictable, and the incentives encourage patience over spectacle. Bridge hops from Arbitrum or BNB Chain bring balances into the deepest pools on mainnet. DEX rotations set the inventory in ETH for the most efficient Tornado entries.
What This Means for Security
Batching into standard denominations fractures the public graph into fragments that are costly to stitch together. Compliance teams still see patterns despite this—they cluster addresses around shared gas patterns and timing, match deposits to withdrawal windows, and watch for peel chains that start small, spread wide, then aggregate near target venues.
The legal environment has created a gray zone where privacy tools continue to operate, and exchanges rely on behavior-driven controls rather than blanket labels. Investigations still catch exits, but the friction shifts from software to process.
For users and builders, the lesson is concrete: design choices carry cash outcomes. Bridges and routers concentrate value and failure modes, which is precisely why exploiters use them on the way out. Multi-chain apps require muscle memory for halts, allowlist flips, and liquidity snapshots rather than ad hoc improvisation after a breach.
Radiant’s documentation shows how their response tightened over time. The costs of that learning curve were real because the attacker had the initiative. The current flows through Tornado Cash are the tail of the same distribution.
The operator keeps moving because the rails continue to operate. The proper response involves hardened keyholder procedures, narrower approvals, real-time bridge monitoring, and treating signer devices like crown jewels.
The Radiant exploiter will likely continue using the same playbook until conditions change. More Tornado deposits will arrive in familiar sizes. More bridge activity will appear from addresses linked to the October 2024 paths. Eventually, a clean exit will ping a regulated venue, and desks will weigh timing and heuristics against customer narratives.
Every patient exit like this reduces confidence in cross-chain abstractions and pushes teams to audit not just code but operations. Users chase yield across networks because the experience feels seamless. The most skilled thieves know precisely where that seam is hidden.
