Radiant Capital hacker launders $10.8 million through Tornado Cash a year after $53M exploit

The Radiant Capital hacker suspected of being linked to North Korea has laundered $10.8 million from the October 2024 Radiant Capital breach through Tornado Cash, moving 2,834 ETH through the cryptocurrency mixer nearly a year after stealing $53 million from the DeFi lending platform.

According to on-chain monitoring firm CertiK, the funds were laundered via Tornado Cash by transferring 2,834 ETH, complicating authorities’ efforts to trace the stolen assets.

The original breach and escalation

On October 16, 2024, Radiant Capital suffered a major attack on its lending pool, resulting in a loss of about $53 million. Investigators determined that the attacker gained control of three out of eleven multi-signature wallet signers, replaced the implementation contract for the lending pool, and drained funds across the Arbitrum and Binance Smart Chain networks.

In the months following the hack, the Radiant Capital hacker converted the stolen funds into 21,957 ETH (valued at the time at about $53 million) and eventually boosted their holdings toward nearly $94 million by trading and swapping into DAI stablecoins.

Security firm Mandiant attributed the attack with “high confidence” to a North Korean-linked threat actor known as AppleJeus (also tracked as UNC4736 or Citrine Sleet), which is aligned with the DPRK’s Reconnaissance General Bureau.

Laundering through Tornado Cash

According to CertiK, the Radiant Capital hacker channelled around $10.8 million in Ethereum through Tornado Cash—specifically by depositing 2,834 ETH into the mixer.

Initially, the stolen assets moved from bridge protocols such as Stargate Bridge, Synapse Bridge and Drift FastBridge into an intermediary wallet beginning with 0x4afb. From there they were distributed via several smaller transfers (e.g., 2,236 ETH to 0x3fe4), prior to funneling into Tornado Cash.

By employing Tornado Cash, the hacker undermines on-chain tracing efforts, since the mixer is designed to obfuscate the link between source and destination addresses. This move significantly raises the bar for investigators working to recover the funds.

Implications for investors and regulators

For crypto investors, this incident underscores the persistent cyber-risk within DeFi platforms—even those that appear well-audited or large.

Although the initial hack occurred a year ago, the Radiant Capital hacker’s decision to launder funds now highlights how stolen assets can be dormant before being cleaned, meaning that risk exposures may remain latent well beyond the breach moment.

From a regulatory perspective, the turn to Tornado Cash by the Radiant Capital hacker re-emphasises one of the major concerns: mixers enabling anonymity for stolen funds.

Regulators and law enforcement may respond with heightened scrutiny of mixers and bridge protocols, particularly those bridging assets across chains and thus complicating traceability.

As Radiant Capital works with the FBI, Chainalysis and other security firms including SEAL911 and ZeroShadow to recover assets, their chances remain uncertain, especially given the recent laundering move.

Lessons and next steps

The Radiant Capital breach and the subsequent laundering via Tornado Cash highlight several key take-aways:

• Multi-signature wallet arrangements are only as strong as the security of the signers’ endpoints. In the Radiant hack, a macOS backdoor called INLETDRIFT enabled attacker control despite hardware wallets and simulation tools being used.
• Bridges and mixers remain vectors for laundering stolen assets across chains and jurisdictions, complicating recovery.
• Investors should factor in governance, cybersecurity posture and device-level security when assessing DeFi platforms—not just code audits.
• Regulators may increase pressure on mixer protocols and cross-chain bridges to build clearer audit trails and comply with anti-money-laundering requirements.