Radiant Capital hacker moves $10.8M into Tornado Cash

The Radiant Capital hacker recently deposited 2,834 ETH into the mixer protocol Tornado Cash one year after exploiting the project’s lending pool, resulting in a $53 million loss.

According to on-chain monitoring platform CertiK, the hacker has laundered around $10.8 million worth of Ethereum through the mixer platform Tornado Cash. The move makes it even harder for on-chain sleuths and authorities to track down the stolen funds combined with the additional ETH gained previous trades and swaps into DAI.

According to CertiK’s chart, the funds were originally absorbed from bridge addresses such as Stargate Bridge, Synapse Bridge, and Drift FastBridge, showing how the attackers initially moved large amounts of ETH (ETH) into an intermediary address beginning with 0x4afb.

From the main wallet, the attackers began distributing funds through a series of smaller transfers. One notable path moves 2,236 ETH from 0x4afb to 0x3fe4 before shifting the funds through three more Ethereum wallets.

In August 2025, the hackers offloaded as much as 3,091 Ethereum and swapped them with 13.26 million USD-backed DAI (DAI) stablecoins. Afterwards, the hackers moved the DAI tokens to a series of other wallets before swapping them back into ETH. The hackers then dumped 2,834 ETH into the crypto mixer Tornado Cash, making them effectively untraceable.

Before the Tornado Cash deposit, the Radiant Capital hackers held around 14,436 ETH and 35.29 million DAI, making up a portfolio worth $94.63 million.

For the past year, Radiant Capital has been working with the FBI, Chainalysis and other web3 security firms such as SEAL911 and ZeroShadow to recover the stolen funds after the hack. However, chances of recovery remain slim, especially now that the hackers have been depositing funds into crypto mixer platforms like Tornado Cash.

What happened to Radiant Capital?

On Oct. 16, 2024, Radiant Capital suffered an attack on its lending pool, which led to a loss of $53 million from ARB (ARB) and BSC (BNB) networks. The attack had been one of the most damaging crypto exploits of the year.

The attacker was able to gain control of 3 out of 11 signer permissions of the system’s multi-signature wallets, replacing the implementation contract of the Radiant lending pool to steal funds. The hacker reportedly used a specific malware designed to infiltrate macOS hardware called INLETDRIFT.

After the theft, the stolen funds were converted into 21,957 ETH, which were valued at $53 million at the time. The hacker was later able to multiply the funds by nearly double, boosting its holdings to $94 million. Instead of selling the funds immediately, the hacker held on to ETH for nearly ten months, which allowed the exploiter to add $49.5 million to the initial stolen funds.

According to a post-mortem report by Mandiant, the hacker is suspected to have ties to North Korea. Mandiant alleged that the attack was carried out by the AppleJeus hacking group, an affiliate of the DPRK hacker network.

This incident marked the second breach that Radiant Capital had to encounter. Earlier that year, the protocol fell victim to a smaller $4.5 million flash loan exploit.