Radiant Capital Hacker Launders $26.7M in ETH Through Tornado Cash

Highlights:

• The Radiant Capital Hacker laundered $26.7M in ETH via Tornado Cash using three separate wallet addresses.
• Despite the transfers, the hacker still holds around $104M in various cryptocurrencies.
• Investigators tied the breach to North Korea’s UNC4736 group, which used Telegram malware to steal private keys.

The Radiant Capital Hacker has made a return, transferring 5,933 ETH worth $26.7 million to Ethereum. This movement occurred through a crypto mixer, Tornado Cash, that conceals the history of transactions. The transfer was carried out from three different addresses and represented a new chapter in the 2024 exploit saga.

Crypto security firm CertiK confirmed the development on X, warning users to be on the lookout. The hacker earlier bridged the funds to Ethereum and then transferred them to the privacy protocol. Despite this transaction, the attacker still holds onto assets with a value of $104 million in different digital tokens.

#CertiKAlert 🚨@RDNTCapital exploiter has bridged stolen funds to Ethereum and deposited 5933.3 ETH (~$26.7M) to Ethereum from three addresses.

On Oct 16th, 2024, the exploiter gained access to their multi-sig wallet by compromising 3 of 11 signers and drained ~$55M from the… pic.twitter.com/GR325ryn1j

— CertiK Alert (@CertiKAlert) September 12, 2025

October 2024 Exploit Triggered a Massive Loss

The Radiant Capital hack occurred in October 2024, which involved lending pools in Arbitrum and BNB Chain. The exploiter gained access to the multi-sig wallet by compromising 3 of 11 signers. That compromise led to close to $55 million being drained.

The attacker employed harmful contracts to trick the users into approving a rogue address. These contracts manipulated the transferFrom function to allow for the transfer of funds to unauthorized accounts. Roughly $32 million was stolen from wallets on Arbitrum and $18 million from users on the BNB chain. Moreover, one wallet held a combined $50 million in various tokens, including ETH, USDT, USDC, and wrapped BNB.

Radiant Capital took full action in this regard by promptly notifying the public and reassuring continued cooperation with US authorities. Blockchain forensic companies such as Chainalysis and SEAL911 participated in the probe. Agencies, including the FBI, were also notified of their role in tracking down assets associated with the attack and freezing them.

Hacker Converts Stolen Assets into Profit

Last month, one Radiant Capital hacker captured the spotlight when he turned the stolen money into a substantial profit. Investigators estimated the attacker used strategic ETH trades to convert $53 million into $102.54 million. This caused concerns in the DeFi space, more specifically because the hacker was not identified.

The Radiant Capital hacker turned the stolen $53M into $102.54M by trading $ETH, a profit of $49.5M(+93.5%).

10 months ago, the hacker stole $53M from Radiant Capital and swapped it all for 21,957 $ETH.

Recently, he began selling $ETH for profit, selling 9,631 $ETH($43.94M) at… pic.twitter.com/hwbLDnTVe5

— Lookonchain (@lookonchain) August 14, 2025

In December, the probe uncovered new leads. Radiant Capital linked the breach to a group of North Koreans known as UNC4736, also called Citrine Sleet. The hackers allegedly hacked the developer accounts via malware distributed over the messaging platform, Telegram. That malware caused the leakage of smart contract data and private keys, which led to taking full control over critical systems.

Despite these discoveries, the hacker did not stop his laundering activities, utilizing decentralization tools to conceal movements. The recent use of Tornado Cash indicates there is a continued laundering operation, despite law enforcement monitoring closely. The privacy mechanisms the mixer provides make it difficult to track, which presents a problem for global regulators.

Authorities Still Pursuing the Case

As of now, U.S. cybersecurity teams are still in the process of tracing and freezing the assets of the hacker. Although some of the stolen money has been flagged, a large chunk still moves undetected. With the recent $26.7 million shift, the hacker reaffirms his or her control over considerable sums. Investigations are still underway, and the narrative is ongoing as every movement of stolen funds further develops.