On Oct. 31, 2025, the Radiant exploiter transferred roughly 5,411.8 ETH to Twister Money, a transfer value roughly $20.7 million.
9 days earlier, the identical cluster had moved roughly 2,834.6 ETH, equal to $10.8 million, after staging funds throughout chains and thru swaps earlier than the mixer.
Neither burst seemed hurried. Each seemed like a cautious operator testing liquidity and compliance timing, parceling deposits into widespread Twister denominations which are cheap to mix and annoying to hint.
How the Radiant hack occurred
Radiant’s story begins on Oct. 16, 2024, when its lending swimming pools on Arbitrum and BNB Chain have been drained of about $50 million to $58 million. Early technical post-mortems converged on a easy however devastating level.
The breach was resulting from an operational compromise involving keyholders and approvals that allowed an attacker to push malicious transactions by way of a multi-signature course of. Safety companies described signers being induced to approve the improper calls.
The venture had a three-out-of-eleven scheme for delicate actions. That broad signer set improved availability however widened the goal space for gadget compromise and social engineering. Evaluation from Halborn and others reconstructed how approvals and gadget hygiene created home windows that the attacker exploited, whereas Radiant’s personal incident updates fastened the timeline and scale.
Later reporting urged {that a} state-backed group used impersonation to realize entry, a declare Radiant echoed because the mud settled.
CryptoSlate coated the fallout on the time by way of against the law development lens. The report famous that October’s whole exploit losses fell to roughly $116 million, and that Radiant’s incident accounted for practically half of that month-to-month determine, inserting an outsized share of the ache in a single place.
That framing issues as a result of it exhibits how a single cross-chain breach can considerably affect a month’s danger profile, even when the broader surroundings seems calm.
What adopted over the following yr set the sample seen at present. Funds moved out of L2s and again to Ethereum by way of bridges the place liquidity is deepest. Swaps consolidated balances into ETH to organize for the blending course of.
The October 22-23, 2025, tranche gives a transparent instance. CertiK flagged 2,834.6 ETH in Twister deposits and famous that 2,213.8 ETH had arrived by way of the Arbitrum bridge from EOA 0x4afb, with the rest sourced from DAI conversions.
The Oct. 31 burst elevated the working whole by one other 5,411.8 ETH, with modular deposits that match Twister pool norms. The chain is public, the route is predictable, and the incentives encourage endurance over spectacle.
What the brand new laundering bursts reveal
The latest mixer exercise reads like a sluggish bleed technique moderately than a single exit. Bridge hops from Arbitrum or BNB Chain deliver balances into the deepest swimming pools on mainnet. DEX rotations set the stock in ETH for essentially the most environment friendly Twister entries.
Batching into normal denominations fractures the general public graph into fragments which are expensive to sew collectively. Compliance groups nonetheless see so much regardless of that. They cluster addresses round shared gasoline patterns and timing, match deposits to withdrawal home windows, and look ahead to telltale peel chains that begin small, unfold broad, then mixture close to a goal venue.
The posture is pragmatic as a result of the authorized surroundings rewards pragmatism. Courts have narrowed the federal government’s broadest theories concerning the sanctioning of decentralized software program. Prosecutors have received and misplaced varied circumstances associated to mixers.
The result’s a grey zone the place privateness instruments proceed to function, and exchanges depend on behavior-driven controls moderately than blanket labels. Investigations nonetheless catch exits. The friction simply shifts from software program to course of.
For customers and builders, the lesson is concrete. Design selections carry money outcomes. Bridges and routers focus worth and failure modes, which is exactly why exploiters use them on the best way out. Multi-chain apps require muscle reminiscence for halts, allowlist flips, and liquidity snapshots, moderately than advert hoc improvisation within the hour after a breach.
Radiant’s documentation exhibits how the response tightened over time. The prices of that studying curve have been actual as a result of the attacker had the initiative. The present flows by way of Twister Money are the tail of the identical distribution.
The operator retains transferring as a result of the rails proceed to function. The correct response is hardened keyholder procedures, narrower approvals, real-time bridge monitoring, and a tradition that treats signer gadgets like crown jewels.
The Radiant exploiter will doubtless proceed to make use of the identical playbook till circumstances change. Extra Twister deposits will arrive in acquainted sizes. Extra bridge exercise will seem from addresses linked to the October 2024 paths. A clear exit will finally ping a regulated venue, and desks will weigh timing and heuristics towards buyer narratives.
The consequence for the market is predictable. Each affected person exit like this reduces confidence in cross-chain abstractions and pushes groups to audit not simply code however operations. Customers chase yield throughout networks as a result of the expertise feels seamless. Essentially the most expert thieves know exactly the place that seam is hidden.
