On Oct. 31, 2025, the Radiant exploiter transferred roughly 5,411.8 ETH to Twister Money, a transfer value roughly $20.7 million.
9 days earlier, the identical cluster had moved roughly 2,834.6 ETH, equal to $10.8 million, after staging funds throughout chains and thru swaps earlier than the mixer.
Neither burst appeared hurried. Each appeared like a cautious operator testing liquidity and compliance timing, parceling deposits into frequent Twister denominations which are cheap to mix and annoying to hint.
How the Radiant hack occurred
Radiant’s story begins on Oct. 16, 2024, when its lending swimming pools on Arbitrum and BNB Chain have been drained of about $50 million to $58 million. Early technical post-mortems converged on a easy however devastating level.
The breach was on account of an operational compromise involving keyholders and approvals that allowed an attacker to push malicious transactions by means of a multi-signature course of. Safety corporations described signers being induced to approve the improper calls.
The undertaking had a three-out-of-eleven scheme for delicate actions. That broad signer set improved availability however widened the goal space for machine compromise and social engineering. Evaluation from Halborn and others reconstructed how approvals and machine hygiene created home windows that the attacker exploited, whereas Radiant’s personal incident updates mounted the timeline and scale.
Later reporting urged {that a} state-backed group used impersonation to achieve entry, a declare Radiant echoed because the mud settled.
CryptoSlate coated the fallout on the time by means of against the law pattern lens. The report famous that October’s complete exploit losses fell to roughly $116 million, and that Radiant’s incident accounted for almost half of that month-to-month determine, inserting an outsized share of the ache in a single place.
That framing issues as a result of it reveals how a single cross-chain breach can considerably influence a month’s threat profile, even when the broader surroundings seems calm.
What adopted over the subsequent 12 months set the sample seen immediately. Funds moved out of L2s and again to Ethereum by means of bridges the place liquidity is deepest. Swaps consolidated balances into ETH to organize for the blending course of.
The October 22-23, 2025, tranche supplies a transparent instance. CertiK flagged 2,834.6 ETH in Twister deposits and famous that 2,213.8 ETH had arrived through the Arbitrum bridge from EOA 0x4afb, with the rest sourced from DAI conversions.
The Oct. 31 burst elevated the working complete by one other 5,411.8 ETH, with modular deposits that match Twister pool norms. The chain is public, the route is predictable, and the incentives encourage persistence over spectacle.
What the brand new laundering bursts reveal
The latest mixer exercise reads like a sluggish bleed technique reasonably than a single exit. Bridge hops from Arbitrum or BNB Chain carry balances into the deepest swimming pools on mainnet. DEX rotations set the stock in ETH for probably the most environment friendly Twister entries.
Batching into customary denominations fractures the general public graph into fragments which are pricey to sew collectively. Compliance groups nonetheless see loads regardless of that. They cluster addresses round shared gasoline patterns and timing, match deposits to withdrawal home windows, and look ahead to telltale peel chains that begin small, unfold vast, then combination close to a goal venue.
The posture is pragmatic as a result of the authorized surroundings rewards pragmatism. Courts have narrowed the federal government’s broadest theories concerning the sanctioning of decentralized software program. Prosecutors have gained and misplaced numerous circumstances associated to mixers.
The result’s a grey zone the place privateness instruments proceed to function, and exchanges depend on behavior-driven controls reasonably than blanket labels. Investigations nonetheless catch exits. The friction simply shifts from software program to course of.
For customers and builders, the lesson is concrete. Design decisions carry money outcomes. Bridges and routers focus worth and failure modes, which is exactly why exploiters use them on the way in which out. Multi-chain apps require muscle reminiscence for halts, allowlist flips, and liquidity snapshots, reasonably than advert hoc improvisation within the hour after a breach.
Radiant’s documentation reveals how the response tightened over time. The prices of that studying curve have been actual as a result of the attacker had the initiative. The present flows by means of Twister Money are the tail of the identical distribution.
The operator retains transferring as a result of the rails proceed to function. The correct response is hardened keyholder procedures, narrower approvals, real-time bridge monitoring, and a tradition that treats signer gadgets like crown jewels.
The Radiant exploiter will seemingly proceed to make use of the identical playbook till situations change. Extra Twister deposits will arrive in acquainted sizes. Extra bridge exercise will seem from addresses linked to the October 2024 paths. A clear exit will finally ping a regulated venue, and desks will weigh timing and heuristics towards buyer narratives.
The consequence for the market is predictable. Each affected person exit like this reduces confidence in cross-chain abstractions and pushes groups to audit not simply code however operations. Customers chase yield throughout networks as a result of the expertise feels seamless. Probably the most expert thieves know exactly the place that seam is hidden.