The Slow Bleed Strategy
I think what we’re seeing here is a pretty calculated approach to money laundering. The Radiant exploiter isn’t rushing things – they’re taking their time, testing the waters, and moving funds in carefully measured amounts. On October 31, 2025, they transferred about 5,411.8 ETH to Tornado Cash, which was worth roughly $20.7 million at the time.
Just nine days earlier, the same group moved approximately 2,834.6 ETH, equivalent to $10.8 million. What’s interesting is how they staged these funds across different chains and through various swaps before finally hitting the mixer. Neither transaction looked hurried or panicked. They seemed like someone who knows exactly what they’re doing, checking liquidity and timing compliance windows.
How the Original Hack Unfolded
The whole story goes back to October 16, 2024, when Radiant’s lending pools on Arbitrum and BNB Chain got drained of somewhere between $50 million and $58 million. The technical post-mortems all pointed to the same basic problem – an operational compromise involving keyholders and approvals.
From what I understand, the project used a three-out-of-eleven multi-signature scheme for sensitive actions. That broad signer setup might have improved availability, but it also created more targets for device compromise and social engineering. Security firms like Halborn reconstructed how the attacker exploited weaknesses in approval processes and device security.
Later reports suggested a state-backed group used impersonation tactics to gain access, which Radiant seemed to confirm once things settled down. What’s striking is how this single breach accounted for nearly half of October 2024’s total exploit losses of about $116 million. It shows how one cross-chain incident can really skew the monthly risk picture.
The Laundering Pattern Emerges
Over the next year, a clear pattern developed. Funds moved out of layer-2 networks back to Ethereum through bridges where liquidity is deepest. The exploiter would swap various assets into ETH to prepare for the mixing process.
The October 22-23, 2025 transfers provide a good example. CertiK tracked 2,834.6 ETH going into Tornado Cash, with 2,213.8 ETH coming from the Arbitrum bridge and the rest from DAI conversions. The October 31 batch added another 5,411.8 ETH using similar modular deposits that match Tornado pool norms.
This whole approach feels like a slow bleed strategy rather than trying to cash out everything at once. Bridge hops from Arbitrum or BNB Chain bring balances into Ethereum’s deepest liquidity pools. DEX rotations convert everything to ETH for the most efficient Tornado entries.
What This Means for Security
Batching funds into standard denominations makes it expensive and difficult to trace everything back. Compliance teams still have some tools – they can cluster addresses by gas patterns and timing, match deposits to withdrawal windows, and watch for those telltale peel chains that start small and spread wide.
The legal environment has created something of a gray zone. Courts have narrowed some of the government’s broader theories about sanctioning decentralized software, and prosecutors have had mixed results with mixer-related cases. The result is that privacy tools continue operating, and exchanges rely more on behavior-driven controls than blanket bans.
For developers and users, the lesson seems pretty concrete. Design choices have real cash consequences. Bridges and routers concentrate value and failure points, which is exactly why exploiters use them for exits. Multi-chain applications need built-in procedures for halts, allowlist changes, and liquidity monitoring rather than scrambling after a breach happens.
Radiant’s documentation shows how their response tightened over time, but the learning curve was expensive because the attacker had the initiative. These current Tornado Cash flows are just the tail end of that same distribution.
The exploiter keeps moving funds because the infrastructure continues operating. The real solution seems to be hardening keyholder procedures, narrowing approval scopes, monitoring bridges in real-time, and treating signer devices with extreme care.
I suspect we’ll see more of the same until conditions change. More Tornado deposits in familiar sizes, more bridge activity from addresses linked to the original paths. Eventually, someone will try to cash out through a regulated venue, and compliance desks will have to weigh timing and patterns against customer explanations.
The market consequence is predictable – every patient exit like this chips away at confidence in cross-chain systems and pushes teams to audit not just code but operational procedures. Users chase yield across networks because it feels seamless, but the most skilled thieves know exactly where the seams are hidden.
