How this millionaire crypto hacker continues to freely cash out a year later

On October 31, 2025, the Radiant exploiter transferred about 5,411.8 ETH to Tornado Casha move worth about $20.7 million.

Nine days earlier, the same cluster had moved about 2,834.6 ETH, equivalent to $10.8 million, after staging the funds through chains and through exchanges before the mixer.

Neither seemed rushed. Both appear to be a careful operator testing liquidity and compliance timing, parceling out deposits into common Tornado denominations that are inexpensive to mix and troublesome to track.

How the Radiant hack happened

Radiant’s story begins on October 16, 2024, when its loan pools on Arbitrum and BNB Chain were blown from about $50 million to $58 million. The first post-mortem techniques converged on a simple but devastating point.

The breach was due to an operational compromise involving key holders and approvals that allowed an attacker to push malicious transactions through a multi-signature process. The security companies describe the signers induced to approve the wrong calls.

The project had a scheme of three out of eleven for sensitive actions. That broad signature improved availability but widened the target area for device compromise and social engineering. Analysis by Halborn and others reconstructed how device approvals and hygiene created windows that the attacker exploited, while Radiant’s incident updates fixed the timeline and scale.

Later reports suggested that a state-backed group used impersonation to gain access, a claim that Radiant retracted as the dust settled.

CryptoSlate covered the fall at the time through a criminal trend lens. U report he noted that October’s total operating loss fell to about $116 million, and that the Radiant incident accounted for nearly half of that monthly figure, putting an overwhelming portion of the pain in one place.

That framing matters because it shows how a single cross-chain breach can significantly affect a month’s risk profile, even when the broader environment appears calm.

What followed over the next year set the pattern visible today. Funds have moved from L2 and back to ethereum through bridges where liquidity is deeper. Exchange consolidated balances into ETH to prepare for the mixing process.

On October 22-23, 2025, tranche provides a clear example. CertiK reported 2,834.6 ETH in Tornado deposits and noted that 2,213.8 ETH had come via the Arbitrum bridge from EOA 0x4afb, with the rest coming from DAI conversions.

The October 31st burst increased the total amount by another 5,411.8 ETH, with modular deposits matching the Tornado pool standards. The chain is public, the route is predictable, and the incentives encourage patience on the show.

What the new laundry explosions reveal

The mixer’s recent activity reads like a slow-bleeding strategy rather than a one-off. Bridge hops from Arbitrum or BNB Chain bring balances into deeper mainnet pools. DEX rotations set the inventory in ETH for the most efficient Tornado entry.

Batching in standard denominations fractures the public graph into fragments that are costly to sew. Compliance teams still see a lot despite this. They group addresses around shared gas patterns and timing, match deposits to withdrawal windows, and watch chains of peels unfold that start small, spread wide, then aggregate near a target location.

The stance is pragmatic because the legal environment rewards pragmatism. Courts have narrowed the government’s broader theories regarding the sanctioning of decentralized software. Prosecutors have won and lost various cases concerning mixer.

The result is a gray area where privacy tools continue to operate, and exchanges rely on behavior-driven controls rather than blanket labels. The investigations are still covering the sources. The friction just goes from the software to the process.

For users and builders, the lesson is concrete. Design choices bring cash results. Bridges and routers focus on value and failure modes, which is precisely why exploiters use them on the road. Multi-chain applications require muscle memory for shutdowns, permission list flips and liquidity snapshots, rather than ad hoc improvisation in the hours after a breach.

Radiant’s documentation shows how the answer grew over time. The costs of that learning curve were real because the attacker had the initiative. Current flows through Tornado Cash are the tail of the same distribution.

The operator continues to move because the rails continue to operate. The correct answer is hardened key procedures, stricter approvals, real-time bridge monitoring, and a culture that treats signature devices as crown jewels.

The Radiant exploiter will likely continue to employ the same playbook until conditions change. More Tornado deposits will arrive in familiar sizes. More bridging activity will appear from addresses linked to paths in October 2024. A clean exit will eventually ping a regulated location, and desks will weigh timing and heuristics against customer narratives.

The consequence for the market is predictable. Each patient exit thus reduces reliance on cross-chain abstractions and pushes teams to audit not just code, but operations. Users chase performance across networks because the experience feels seamless. The most skilled thieves know precisely where this seam is hidden.