$30M Stolen as Step Finance Treasury Wallets Compromised

Step Finance, a major Solana DeFi platform, confirmed multiple treasury and fee wallets were compromised by a sophisticated attacker during Asian Pacific trading hours, resulting in the theft of approximately 261,854 SOL tokens worth roughly $30 million.

The breach sent shockwaves through the Solana ecosystem as blockchain security firm CertiK flagged that the stolen SOL “has been withdrawn after stake authorization had been transferred” to an unknown wallet address.

The incident triggered immediate market panic, with the platform’s native STEP token plummeting over 90% within 24 hours.

While the team insists user funds remained unaffected, questions swirl over whether the breach represents a genuine security failure or a disguised exit scam, particularly given that the attacker appeared to have direct wallet access rather than exploiting smart contract vulnerabilities.

Emergency Response and Damage Control

Step Finance disclosed the security breach through a series of urgent social media posts, stating “several of our treasury and fee wallets were compromised by a sophisticated actor” and confirming the attack leveraged “a well known attack vector.“

The platform immediately activated emergency protocols and reached out to cybersecurity firms for assistance.

Solana media firm Solana Floor reported that on-chain data showed the stolen 261,854 SOL was “unstaked and moved during the incident,” suggesting the attacker had obtained authorization to control staking operations.

The team emphasized it had “notified the relevant authorities” and implemented immediate remediation steps while working with top security professionals around the clock.

Ripple Effects Across Linked Protocols

The breach extended beyond Step Finance’s own operations, impacting connected platforms including Remora Markets.

The protocol disclosed that as “majority LP, Step Finance experienced a hack of treasury wallets earlier today” with some affected assets including Remora rStocks.

Remora assured users that despite the incident, “Remora assets remain held 1:1 in our brokerage account” while constructing a process for handling redemptions.

The market’s swift verdict on Step Finance came through brutal price action, with the STEP token losing most of its value as traders fled amid uncertainty about the platform’s future viability and the legitimacy of the breach.

January’s Relentless Wave of DeFi Exploits

The Step Finance hack marks the latest in what security firms describe as a devastating month for cryptocurrency security.

According to CertiK’s comprehensive January 2026 security report, “combining all the incidents in January, we’ve confirmed ~$370.3M lost to exploits” across multiple attack vectors.

Major January incidents included Truebit’s $26.6 million smart contract exploit, SwapNet’s $13.3 million breach affecting Matcha Meta users, Saga’s $6.2 million exploit that forced the Layer-1 protocol to pause its SagaEVM chain, and Makina Finance’s $4.2 million loss through flash loan manipulation.

CertiK’s analysis revealed that phishing incidents accounted for $311.3 million of January’s losses, while code vulnerability attacks totaled $51.5 million.

Notably, the Step Finance breach continues a troubling pattern affecting Solana-based protocols.

Swiss crypto platform SwissBorg lost $41.5 million worth of SOL tokens in September 2025 after hackers compromised partner API provider Kiln, while South Korea’s Upbit exchange suffered a $36 million Solana exploit in November 2025, exactly six years after its 2019 hack attributed to North Korean actors.

Beyond individual protocol failures, January also witnessed the largest single crypto theft of 2026, when a victim lost over $282 million in Bitcoin and Litecoin through a hardware wallet social engineering scam, as blockchain investigator ZachXBT described it, surpassing the previous record of $243 million set in August 2024.

The attacker “immediately began converting the stolen assets into Monero through multiple instant exchanges,” obscuring the trail across multiple blockchain networks.

CertiK’s data shows that despite these massive losses, less than 2-5% has been recovered so far, as investigations into many cases have only recently begun.

Even government-held crypto assets came under scrutiny, as the US Marshals Service confirmed it is investigating a possible hack of federal digital-asset accounts.

Patrick Witt, executive director of the President’s Council of Advisors for Digital Assets, acknowledged that the government seizure addresses were among the wallets from which hackers stole more than $60 million in late 2025.