Radiant Capital Hacker Launders $10.8M in ETH Through Tornado Cash, Obscuring Trail of $94M Stolen Funds

Introduction

In a significant blow to fund recovery efforts, the hacker responsible for the October 2024 Radiant Capital exploit has laundered $10.8 million in Ethereum through the crypto mixer Tornado Cash. This action, occurring nearly a year after the initial $53 million attack, effectively obscures the trail of stolen funds that had since ballooned in value to nearly $94 million. According to on-chain data from security firm CertiK, the hacker deposited 2,834 ETH into the privacy tool, complicating the work of investigators and on-chain sleuths. The laundering event underscores the persistent challenges in tracking and recovering stolen digital assets, especially when linked to sophisticated threat actors like the suspected North Korea-affiliated AppleJeus group.

The Mechanics of the Laundering Operation

The process of moving the stolen funds into Tornado Cash was methodical and involved multiple steps across various wallets. According to CertiK’s analysis, the funds were initially moved from bridge addresses, including Stargate Bridge, Synapse Bridge, and Drift FastBridge, into an intermediary address beginning with 0x4afb.

From this main wallet, the attacker initiated a series of smaller transfers designed to obfuscate the origin. One key transaction path moved 2,236 ETH from the 0x4afb address to another wallet (0x3fe4), before channeling the funds through three additional Ethereum wallets. This layering technique is a common precursor to using a mixer, as it breaks down large sums and disperses them, making individual transactions less conspicuous before the final obfuscation step.

A Year-Long Holding Strategy and Asset Swaps

Contrary to the typical "hit-and-run" strategy of many hackers, the Radiant Capital exploiter employed a patient, long-term approach. Following the theft in October 2024, the stolen assets were converted into 21,957 ETH, valued at $53 million at the time. Instead of immediately cashing out, the hacker held onto the Ethereum for nearly ten months. During this period, the value of the ETH holdings appreciated significantly, adding approximately $49.5 million to the initial stolen amount and bringing the total portfolio value to $94.63 million.

In August 2025, the hacker began actively managing the assets, offloading 3,091 Ethereum and swapping them for 13.26 million DAI stablecoins. These DAI tokens were then moved through a series of other wallets before being swapped back into Ethereum. This swap-and-return maneuver may have been an attempt to realize gains or create further transactional complexity before finally depositing 2,834 ETH into Tornado Cash.

Tornado Cash: The Mixer of Choice for Cybercriminals

Tornado Cash is a decentralized, non-custodial privacy solution operating on the Ethereum blockchain. It functions by breaking the on-chain link between source and destination addresses. Users deposit ETH or other supported assets into a large, shared pool and can later withdraw them to a completely different address. This process effectively severs the transparent trail inherent in most blockchain transactions.

The protocol has become a recurring tool for hackers seeking to launder proceeds from exploits. Its use in this incident directly impacts the ability of firms like Chainalysis and law enforcement agencies, including the FBI—both of which have been working with Radiant Capital—to track the movement of stolen funds. Once assets enter Tornado Cash, tracing their ultimate destination becomes exceedingly difficult.

Contextualizing the Radiant Capital Hack

To understand the full scope of this event, it is essential to revisit the original exploit. On October 16, 2024, Radiant Capital suffered a major attack on its lending pool, resulting in a loss of $53 million from the ARB and BSC networks. The attack was one of the most damaging crypto exploits of that year.

The attacker gained control of 3 out of 11 signer permissions for the system’s multi-signature wallets. This level of access allowed them to replace the implementation contract of the Radiant lending pool and drain funds. Reports indicated that the hacker used a specific malware designed to infiltrate macOS hardware called INLETDRIFT.

This was not Radiant Capital's first security incident. Earlier in 2024, the protocol fell victim to a smaller $4.5 million flash loan exploit. The recurrence of major breaches highlights the ongoing security challenges faced by DeFi protocols managing significant total value locked (TVL).

The Suspected Perpetrator: AppleJeus and North Korean Ties

The investigation into the attack points toward a highly sophisticated actor. Cybersecurity firm Mandiant, in a post-mortem report, alleged that the hack was carried out by the AppleJeus group, an affiliate of the DPRK hacker network. The group is known for its targeted cyber-operations, often aimed at financial gain.

The suspected involvement of a state-affiliated group adds a layer of geopolitical complexity to fund recovery efforts. Such groups are typically more resilient, well-resourced, and operate with different motivations than individual criminal hackers, making asset retrieval through traditional legal or diplomatic channels significantly more challenging.

Ongoing Recovery Efforts and Diminishing Prospects

For the past year, Radiant Capital has been collaborating with a consortium of entities in an attempt to recover the stolen funds. Partners include federal authorities like the FBI, blockchain analytics firm Chainalysis, and web3 security organizations such as SEAL911 and ZeroShadow.

However, the recent laundering of a significant portion of the funds through Tornado Cash has drastically reduced the chances of recovery. While investigators can trace funds up to the point they enter the mixer, identifying where they exit and who controls the final addresses is notoriously difficult. This action by the hacker represents a critical setback in an already arduous recovery process.

Strategic Conclusion: Implications for DeFi Security and Asset Tracking

The laundering of $10.8 million from the Radiant Capital hack through Tornado Cash is more than an isolated event; it is a case study in modern digital asset theft. It demonstrates a shift from immediate monetization to a strategic holding period where hackers can capitalize on market appreciation, thereby amplifying their illicit gains.

For participants in the crypto ecosystem, this incident reinforces several critical points. First, it underscores that security is not a one-time fix but requires continuous vigilance and robust multi-layered defense mechanisms for DeFi protocols. Second, it highlights that even with collaboration from top-tier investigative firms and law enforcement, recovering stolen funds after they enter privacy tools remains a formidable challenge.

Readers and protocol developers should watch for continued developments in regulatory approaches to mixers and other privacy-enhancing technologies. Furthermore, this case emphasizes the importance of proactive security audits, decentralized governance safeguards for multi-sig wallets, and real-time transaction monitoring to detect and potentially freeze suspicious movements before assets are irreversibly laundered. The Radiant Capital saga serves as a stark reminder of the high stakes in DeFi security and the sophisticated adversaries operating within this space.