The hacker behind the Radiant Capital exploit has resurfaced, moving millions in stolen Ethereum through the crypto mixer Tornado Cash, nearly a year after one of the biggest DeFi hacks of 2024.
According to blockchain security firm CertiK, the attacker deposited 2,834 ETH worth about $10.8 million into Tornado Cash, a platform often used to obscure the origin of crypto assets. The move comes after months of inactivity, making it increasingly difficult for authorities and investigators to trace the stolen funds.
Over $10.8 Million Laundered Through Tornado Cash
Data shared by CertiK shows the Radiant hacker has been steadily moving stolen Ethereum through a network of intermediary wallets before funneling it into Tornado Cash.
The funds originated from bridge addresses linked to Stargate Bridge, Synapse Bridge, and Drift FastBridge, before being consolidated in an address beginning with 0x4afb. From there, the hacker distributed the assets through multiple smaller wallets, including 0x3fe4, in an attempt to further obscure their path.
“These transactions show a deliberate and layered laundering process,” CertiK noted in its analysis. “The use of multiple wallets before Tornado Cash deposits makes tracking extremely complex.”
The laundering follows earlier activity in August 2025, when the hacker sold 3,091 ETH for 13.26 million DAI, later converting much of it back into Ethereum. The latest Tornado Cash transactions appear to mark the final stage of the laundering cycle.
Before the most recent transfer, the hacker’s wallets held around 14,436 ETH and 35.29 million DAI, together worth approximately $94.6 million.
Radiant Capital’s $53M Exploit and Suspected North Korean Link
The original attack on Radiant Capital’s lending pool occurred on October 16, 2024, leading to losses of roughly $53 million across both the Arbitrum (ARB) and BNB Chain (BSC) networks.
Investigators from Mandiant later concluded that the breach was likely orchestrated by AppleJeus, a North Korea-linked hacking group known for targeting financial and crypto institutions.
The attackers reportedly infiltrated Radiant’s systems using a macOS malware variant called INLETDRIFT, which allowed them to gain control of three out of eleven signer permissions within the project’s multi-signature wallet. This access enabled them to replace the lending pool’s implementation contract, draining funds directly from user deposits.
Following the theft, the hackers converted the stolen assets into 21,957 ETH — worth $53 million at the time — and managed to nearly double the value of their holdings to around $94 million through strategic trades and rising ETH prices over the following months.
“Instead of immediately cashing out, the hacker held the stolen ETH for nearly ten months, profiting from Ethereum’s price rally,” CertiK’s post-mortem added.
This was not Radiant’s first security breach. Earlier in 2024, the protocol had suffered a smaller $4.5 million flash loan attack, exposing vulnerabilities in its lending mechanisms.
Recovery Efforts Continue, but Prospects Remain Slim
Over the past year, Radiant Capital has worked with the FBI, Chainalysis, and Web3 security groups such as SEAL911 and ZeroShadow to track and recover the stolen funds. However, the recent Tornado Cash transfers have significantly reduced the likelihood of retrieval.
Mixers like Tornado Cash blend crypto from multiple users, making it nearly impossible to distinguish between legitimate and illicit funds once deposited. The protocol itself was sanctioned by the U.S. Treasury Department’s OFAC in 2022 for facilitating money laundering tied to North Korea’s cyber operations.
“Every Tornado Cash deposit effectively erases a trail of accountability,” said one investigator familiar with the case. “This move almost guarantees the Radiant hacker walks away clean.”
With the latest laundering event, the Radiant Capital case serves as another reminder of the growing sophistication of state-backed cybercrime targeting decentralized finance protocols and the ongoing struggle for enforcement agencies to keep pace.
