Who Struck Step Finance? Treasury Breach Nets $27 Million

Step Finance, a well-known Solana analytics hub, said its treasury was hit in a major breach that emptied 261,854 SOL from wallets tied to the platform.

The loss forced a sharp market reaction, and users and investors watched prices tumble as the team moved quickly to contain the damage.

Based on reports, roughly 261,854 SOL were unstaked and shifted off the platform on January 31, 2026, an amount worth around $27 million to $30 million at the time.

Breach Hits Step Finance Treasury

Investigators were called in right away. According to the platform’s public posts, security specialists and outside firms are helping to trace the funds. Some transfers were obvious on public ledgers; they could be followed from the compromised wallets to a set of addresses that began converting SOL.

#CertiKInsight

We have seen a security breach of @StepFinance_ treasury wallets.https://t.co/Zi3tMKaTqE

261,854 SOL (~$28.9M) has been withdrawn after stake authorization had been transferred tohttps://t.co/o51kREYPHW

Stay Vigilant! pic.twitter.com/GrxpyzI2Uv

— CertiK Alert (@CertiKAlert) January 31, 2026

Questions remain about how access was gained. It is not yet clear whether private keys were taken, a staking routine was exploited, or an internal process failed. The exact technical route is still being pieced together.

On-Chain Clues And Market Fallout

Markets reacted violently. The platform’s governance token fell hard, with prices dropping by more than 80% in minutes as panic spread. Traders sold quickly. Price books thinned.

Based on reports from on-chain trackers, multiple large unstake transactions and swaps were executed in a short time window.

Some of the moved SOL was routed to exchanges, while other amounts were split across several wallets, a pattern observers often tie to attempts at cashing out without drawing attention.

Earlier today several of our treasury wallets were compromised by a sophisticated actor during APAC hours. This was an attack facilitated through a well known attack vector.

Immediate remediation steps have been taken, and we are working closely with top security professionals.…

— Step (@StepFinance_) January 31, 2026

Step Finance announced emergency steps to shield remaining funds. Access to certain treasury functions was restricted and multisig controls were reviewed.

Accounts under direct protocol control were frozen where possible. The company said it was cooperating with authorities and sharing findings with the wider Solana community.

At the same time, public-facing channels were used to give updates as they became available, though many technical details were deliberately withheld to avoid tipping off the attacker.

A handful of security firms are conducting forensic work on the transactions. On-chain evidence will be crucial to any effort to recover assets.

Reports note that tracing is a step; recovering funds is another. Legal and regulatory routes may be explored if identifiable intermediaries or exchanges are used to move the stolen value.

Whether user funds outside the treasury were touched has been a key concern, and the company is said to be clarifying that matter.

Featured image from Unsplash, chart from TradingView