Who Struck Step Finance? Treasury Breach Nets $27 Million

bitcoinistPublished on 2026-02-02Last updated on 2026-02-02

Abstract

Step Finance, a Solana analytics platform, suffered a major treasury breach on January 31, 2026, resulting in the loss of 261,854 SOL (worth approximately $27–30 million). The stolen funds were unstaked and moved off-platform, triggering an 80% crash in the platform’s governance token. Security teams and external firms are investigating the attack, which may have involved stolen private keys or a staking exploit. Step Finance has taken emergency measures to secure remaining funds, restricted treasury access, and is cooperating with authorities. The incident caused significant market panic, and recovery efforts are underway, though the full technical details remain unclear.

Step Finance, a well-known Solana analytics hub, said its treasury was hit in a major breach that emptied 261,854 SOL from wallets tied to the platform.

The loss forced a sharp market reaction, and users and investors watched prices tumble as the team moved quickly to contain the damage.

Based on reports, roughly 261,854 SOL were unstaked and shifted off the platform on January 31, 2026, an amount worth around $27 million to $30 million at the time.

Breach Hits Step Finance Treasury

Investigators were called in right away. According to the platform’s public posts, security specialists and outside firms are helping to trace the funds. Some transfers were obvious on public ledgers; they could be followed from the compromised wallets to a set of addresses that began converting SOL.

Questions remain about how access was gained. It is not yet clear whether private keys were taken, a staking routine was exploited, or an internal process failed. The exact technical route is still being pieced together.

Image: CMIT Solutions

On-Chain Clues And Market Fallout

Markets reacted violently. The platform’s governance token fell hard, with prices dropping by more than 80% in minutes as panic spread. Traders sold quickly. Price books thinned.

Based on reports from on-chain trackers, multiple large unstake transactions and swaps were executed in a short time window.

Some of the moved SOL was routed to exchanges, while other amounts were split across several wallets, a pattern observers often tie to attempts at cashing out without drawing attention.

Community Anxiety And Operational Response

Step Finance announced emergency steps to shield remaining funds. Access to certain treasury functions was restricted and multisig controls were reviewed.

Accounts under direct protocol control were frozen where possible. The company said it was cooperating with authorities and sharing findings with the wider Solana community.

At the same time, public-facing channels were used to give updates as they became available, though many technical details were deliberately withheld to avoid tipping off the attacker.

SOLUSD is now trading at $105. Chart: TradingView

Recovery Steps And Unknowns

A handful of security firms are conducting forensic work on the transactions. On-chain evidence will be crucial to any effort to recover assets.

Reports note that tracing is a step; recovering funds is another. Legal and regulatory routes may be explored if identifiable intermediaries or exchanges are used to move the stolen value.

Whether user funds outside the treasury were touched has been a key concern, and the company is said to be clarifying that matter.

Featured image from Unsplash, chart from TradingView

Related Questions

QWhat was the total amount of SOL stolen in the Step Finance treasury breach?

A261,854 SOL, worth approximately $27 million to $30 million at the time.

QHow did the market react to the news of the Step Finance breach?

AThe platform's governance token price dropped by more than 80% in minutes as panic spread, leading to rapid selling and thinning order books.

QWhat immediate steps did Step Finance take to contain the damage from the breach?

AThey restricted access to certain treasury functions, reviewed multisig controls, froze accounts under direct protocol control where possible, and cooperated with authorities and the Solana community.

QAccording to the article, what is one possible method the attacker might have used to gain access to the treasury?

APossible methods mentioned include stolen private keys, exploitation of a staking routine, or a failure in an internal process, though the exact technical route is still being investigated.

QWhat is the role of on-chain evidence in the aftermath of the attack?

AOn-chain evidence is crucial for forensic work to trace the stolen funds and is a necessary step for any potential effort to recover the assets, possibly through legal and regulatory routes involving intermediaries or exchanges.

Related Reads

First Batch of Keynote Speakers and Partners Announced! Web2+3 Summit: Defining the Next Generation of Digital Economy

Web2+3 Summit: Defining the Next Generation of Digital Economy The 6th BEYOND International Technology Innovation Expo (BEYOND Expo 2026), Asia's largest tech and ecosystem exhibition, is launching a dedicated Web2+3 stage for the first time. Co-hosted by BEYOND Expo and ChainNeXT Group, the Web3 Summit will take place from May 28–30, 2026. Against the backdrop of accelerating global tech integration, the boundaries between Web2 and Web3 are rapidly blurring. With clearer global regulations for blockchain-driven internet (Web3) and the special issuance of a Hong Kong dollar stable币 license by the Hong Kong SAR government on April 10, 2026, Web3's decentralized principles are quickly merging with traditional industries (Web2) such as e-commerce, finance, and artificial intelligence. Focused on blockchain-driven digital economy elements, the summit will center on three core principles—implementability, commercial viability, and compliance. It will bring together top Web3 experts to discuss key integration areas like stablecoin payment finance (PayFi), real-world asset tokenization (RWA), and decentralized AI (DeAI), unveiling new opportunities for industrial innovation. The first wave of confirmed speakers includes Jack Kong (Director of Hong Kong Cyberport, Chairman of Nano Labs), Yat Siu (Chairman of Animoca Brands), Michael Wu (Co-founder & CEO of Amber Group), Michael Heinrich (Co-founder & CEO of 0G), and Art Abal (Co-founder of Vana). More Web3 ecosystem pioneers, AI, and fintech experts will be announced soon. Core forum topics include: - Web2+DeAI: New AI Paradigms Driven by Decentralized Infrastructure - Web2+RWA: Real-World Asset Tokenization and Global Liquidity - Web2+PayFi: Cross-Border Payments and Financial Innovation Powered by Crypto Infrastructure - Web2+3 AI: Autonomous Agents and the Crypto Economy - Web2+3 Wealth: On-Chain and Off-Chain Integrated Investment Ecosystems - Web2+3 Commerce: A New Landscape for Global Trade Driven by Stablecoins Additional agenda details will be released in the near future.

marsbit14m ago

First Batch of Keynote Speakers and Partners Announced! Web2+3 Summit: Defining the Next Generation of Digital Economy

marsbit14m ago

Crypto Whale Wallets Accumulate Ozak AI Aggressively as Presale Funding Surpasses $6.8 Million

Crypto whales are aggressively accumulating Ozak AI tokens as the project's presale funding exceeds $6.8 million, signaling strong institutional interest. Analysts view this as strategic, long-term positioning rather than speculative trading, especially as large-cap assets like Bitcoin and Ethereum face growth compression. Ozak AI's presale has sold over 1.05 billion $OZ tokens at $0.014 each, attracting sustained demand from both whales and sophisticated retail investors. The project's AI-native utility, including Prediction Agents and EigenLayer integration, along with associations with Pyth Network and other firms, adds credibility. Market pullbacks are accelerating accumulation, with whales rotating into early-stage AI assets. A projected $1 listing target suggests significant upside potential post-listing.

TheNewsCrypto25m ago

Crypto Whale Wallets Accumulate Ozak AI Aggressively as Presale Funding Surpasses $6.8 Million

TheNewsCrypto25m ago

BTC Market Pulse: Week 17

BTC Market Pulse Week 17 indicates a complex market with mixed signals. Despite strong buyer interest buffering against significant declines, spot CVD turned negative, revealing increased selling pressure. Futures open interest rose, but declining funding rates and perpetual CVD suggest growing bearish sentiment. Options show reduced demand for downside protection, potentially softening bearish outlooks. US Spot ETF metrics improved, reflecting strong investor interest and profitability. Liquidity metrics indicate cautious conditions with easing outflows, while on-chain signals like improving NUPL suggest a potential stabilization phase, though fear-driven selling persists.

insights.glassnode40m ago

BTC Market Pulse: Week 17

insights.glassnode40m ago

LayerZero Breaks Silence On $290 Million KelpDAO Crypto Exploit

LayerZero has addressed the $290 million exploit affecting KelpDAO's rsETH, asserting it was not a protocol failure but a result of KelpDAO's decision to use a single-DVN (Decentralized Verifier Network) configuration. The company claims the attack was isolated to this specific setup and confirms no contagion risk to other assets or applications. Preliminary analysis suggests the attack was executed by a sophisticated state actor, likely North Korea's Lazarus Group. The method involved poisoning RPC infrastructure used by the LayerZero Labs DVN, swapping binaries on compromised nodes, and using DDoS attacks to force traffic to the malicious infrastructure. However, LayerZero states its least-privilege principles prevented a direct compromise. The exploit was only possible due to KelpDAO's 1-of-1 verifier setup, which contradicts LayerZero's recommended multi-DVN redundancy model. A properly configured system with multiple independent DVNs would have prevented the attack. LayerZero has deprecated affected nodes, restored its DVN, and will no longer support 1/1 configurations. Aave has frozen rsETH and WETH reserves on its platforms as a precaution while confirming rsETH on Ethereum mainnet remains fully backed.

bitcoinist1h ago

LayerZero Breaks Silence On $290 Million KelpDAO Crypto Exploit

bitcoinist1h ago

Investor Confidence in Ozak AI Continues To Rise Despite Broader Uncertainty Across Crypto Markets

Despite broader crypto uncertainty with Bitcoin and Ethereum consolidating, Ozak AI ($OZ) continues to attract investor confidence, raising over $6 million in its presale. The project combines AI and DePIN (Decentralized Physical Infrastructure Network) to offer automation, prediction analytics, and scalable infrastructure. Key factors driving interest include its utility-focused approach, cross-chain support, staking mechanisms, and strategic partnerships with entities like SINT, Hive Intel, Pyth Network, and Dex3. These collaborations enhance data availability, liquidity, and execution capabilities. Priced at $0.014 in presale, Ozak AI’s tangible traction and long-term ecosystem potential position it strongly amid market volatility.

TheNewsCrypto1h ago

Investor Confidence in Ozak AI Continues To Rise Despite Broader Uncertainty Across Crypto Markets

TheNewsCrypto1h ago

Trading

Spot
Futures

Hot Articles

Discussions

Welcome to the HTX Community. Here, you can stay informed about the latest platform developments and gain access to professional market insights. Users' opinions on the price of SOL (SOL) are presented below.

活动图片

Top Questions

Hot Categoriesright-arrow

Hot Tagsright-arrow