The slow bleeding strategy
I think what we’re seeing here is a rather calculated approach to money laundering. The Radiant exploiter doesn’t rush things: he takes his time, tests the waters, and moves funds in carefully measured quantities. On October 31, 2025, they transferred approximately 5,411.8 ETH to Tornado Cash, which was worth approximately $20.7 million at the time.
Nine days earlier, the same group moved around 2,834.6 ETH, the equivalent of $10.8 million. What’s interesting is how they spread these funds across different chains and through various exchanges before finally reaching the mixer. Neither transaction seemed rushed or panicked. They seemed like someone who knows exactly what they’re doing, checking cash and timing compliance windows.
How the original hack happened
The whole story dates back to October 16, 2024, when Radiant’s lending pools on Arbitrum and BNB Chain were emptied of between $50 million and $58 million. The post-mortem technical analyzes all highlighted the same fundamental problem: an operational compromise involving keyholders and trusts.
From what I understand, the project used a three-by-eleven multi-signature scheme for sensitive actions. This broad configuration of signers may have improved availability, but it also created more targets for device compromise and social engineering. Security companies like Halborn have pieced together how the attacker exploited weaknesses in approval processes and device security.
Later reports suggested that a state-backed group had used spoofing tactics to gain access, which Radiant appeared to confirm once things calmed down. What is striking is that this single breach accounted for almost half of the total operating losses of around $116 million in October 2024. This shows how a cross-chain incident can really distort the monthly risk picture.
The whitening model emerges
Over the next year, a clear trend developed. Funds were moved from Layer 2 networks to Ethereum via bridges where liquidity is deepest. The exploiter would exchange various assets for ETH to prepare for the mixing process.
The transfers of October 22 and 23, 2025 are a good example. CertiK tracked 2,834.6 ETH entering Tornado Cash, with 2,213.8 ETH coming from the Arbitrum bridge and the rest coming from DAI conversions. The October 31 batch added an additional 5,411.8 ETH using similar modular deposits that match Tornado pool standards.
This whole approach feels like a strategy of slowly purging rather than trying to take it all in at once. Bridges from Arbitrum or BNB Chain bring balances into Ethereum’s deepest liquidity pools. DEX spins convert everything into ETH for the most efficient Tornado entries.
What this means for security
Grouping funds into standard denominations makes it expensive and difficult to trace everything. Compliance teams still have some tools at their disposal: They can group addresses by gas models and schedule, match deposits to withdrawal windows, and monitor those telltale peel chains that start small and spread wide.
The legal environment has created something of a gray area. Courts have narrowed some of the government’s broader theories about punishing decentralized software, and prosecutors have had mixed results in mixer-related cases. The result is that privacy tools continue to work and exchanges rely more on behavior-focused controls than blanket bans.
For developers and users, the lesson seems quite concrete. Design choices have real financial consequences. Bridges and routers concentrate value and points of failure, which is exactly why exploiters use them as exits. Multi-chain applications require built-in procedures for shutdowns, allowlist changes, and liquidity monitoring rather than rushing after a breach.
Radiant’s documentation shows how their response tightened over time, but the learning curve was costly because the attacker had the initiative. These current Tornado cash flows are just the end of that same distribution.
The exploiter continues to move funds because the infrastructure continues to function. The real solution appears to be to strengthen keyholder procedures, reduce approval scopes, monitor bridges in real time, and treat signing devices with extreme caution.
I suspect we will see the same thing until conditions change. More Tornado repositories in familiar sizes, more bridge activity from addresses linked to original paths. Eventually, someone will attempt to cash out through a regulated venue, and compliance departments will need to compare the timing and patterns to customer explanations.
The market consequence is predictable: every patient exit like this undermines trust in cross-chain systems and pushes teams to audit not only code but also operational procedures. Users look for yield on networks because it seems transparent, but the most experienced thieves know exactly where the seams lie.
![]()


