Nine days earlier, the same cluster had moved approximately 2,834.6 ETH, equivalent to $10.8 million, after staging funds across chains and through swaps before the mixer.
Neither burst looked hurried. Both looked like a careful operator testing liquidity and compliance timing, parceling deposits into common Tornado denominations that are inexpensive to blend and annoying to trace.
Radiant’s story begins on Oct. 16, 2024, when its lending pools on Arbitrum and BNB Chain were drained of about $50 million to $58 million. Early technical post-mortems converged on a simple but devastating point.
The breach was due to an operational compromise involving keyholders and approvals that allowed an attacker to push malicious transactions through a multi-signature process. Security firms described signers being induced to approve the wrong calls.
The project had a three-out-of-eleven scheme for sensitive actions. That broad signer set improved availability but widened the target area for device compromise and social engineering. Analysis from Halborn and others reconstructed how approvals and device hygiene created windows that the attacker exploited, while Radiant’s own incident updates fixed the timeline and scale.
Later reporting suggested that a state-backed group used impersonation to gain access, a claim Radiant echoed as the dust settled.
That framing matters because it shows how a single cross-chain breach can significantly impact a month’s risk profile, even when the broader environment appears calm.
The October 22-23, 2025, tranche provides a clear example. CertiK flagged 2,834.6 ETH in Tornado deposits and noted that 2,213.8 ETH had arrived via the Arbitrum bridge from EOA 0x4afb, with the remainder sourced from DAI conversions.
The Oct. 31 burst increased the running total by another 5,411.8 ETH, with modular deposits that match Tornado pool norms. The chain is public, the route is predictable, and the incentives encourage patience over spectacle.
The recent mixer activity reads like a slow bleed strategy rather than a single exit. Bridge hops from Arbitrum or BNB Chain bring balances into the deepest pools on mainnet. DEX rotations set the inventory in ETH for the most efficient Tornado entries.
Batching into standard denominations fractures the public graph into fragments that are costly to stitch together. Compliance teams still see a lot despite that. They cluster addresses around shared gas patterns and timing, match deposits to withdrawal windows, and watch for telltale peel chains that start small, spread wide, then aggregate near a target venue.
The result is a gray zone where privacy tools continue to operate, and exchanges rely on behavior-driven controls rather than blanket labels. Investigations still catch exits. The friction just shifts from software to process.
For users and builders, the lesson is concrete. Design choices carry cash outcomes. Bridges and routers concentrate value and failure modes, which is precisely why exploiters use them on the way out. Multi-chain apps require muscle memory for halts, allowlist flips, and liquidity snapshots, rather than ad hoc improvisation in the hour after a breach.
Radiant’s documentation shows how the response tightened over time. The costs of that learning curve were real because the attacker had the initiative. The current flows through Tornado Cash are the tail of the same distribution.
The operator keeps moving because the rails continue to operate. The proper response is hardened keyholder procedures, narrower approvals, real-time bridge monitoring, and a culture that treats signer devices like crown jewels.
The Radiant exploiter will likely continue to employ the same playbook until conditions change. More Tornado deposits will arrive in familiar sizes. More bridge activity will appear from addresses linked to the October 2024 paths. A clean exit will eventually ping a regulated venue, and desks will weigh timing and heuristics against customer narratives.
The consequence for the market is predictable. Every patient exit like this reduces confidence in cross-chain abstractions and pushes teams to audit not just code but operations. Users chase yield across networks because the experience feels seamless. The most skilled thieves know precisely where that seam is hidden.
