- Step Finance says about 261,854 SOL worth roughly $30 million were taken from Step Finance treasury wallets during a targeted attack
- The STEP token fell over 90% in 24 hours, while linked protocol Remora worked on redemptions and January’s DeFi exploits topped $370.3 million
Step Finance treasury wallets were at the center of a major security incident during Asian Pacific trading hours, as the Solana-based DeFi platform confirmed a sophisticated attacker drained a substantial portion of its on-chain holdings. Around 261,854 SOL, valued at roughly $30 million, was removed from multiple project wallets, triggering sharp market fallout across the Solana ecosystem and intensifying concerns about a broader wave of DeFi exploits in early 2026.
Step Finance treasury wallets breach and immediate fallout
Step Finance disclosed that several of its treasury and fee wallets had been compromised, describing the perpetrator as a sophisticated actor who relied on a “well known attack vector.” The platform reported that the incident involved on-chain assets under its direct control rather than user deposits, and stressed that customer funds remained unaffected. However, the volume of SOL taken and the nature of the access raised questions over whether this was a targeted security failure or something more akin to an exit scam.
Blockchain security firm CertiK highlighted that the stolen SOL had been withdrawn only after stake authorization was transferred to an unknown wallet. This detail indicated that whoever carried out the attack managed to gain control over staking permissions linked to Step Finance treasury wallets, allowing them to unstake and move the assets. Solana media outlet Solana Floor separately reported that on-chain traces showed the 261,854 SOL was unstaked and then transferred during the incident, further supporting the view that the attacker had direct control over staking operations.
News of the breach led to immediate market stress. Within 24 hours of the first disclosures, the platform’s native STEP token lost more than 90% of its value, reflecting intense selling pressure and a collapse in confidence.
Traders reacted to the uncertainty surrounding the integrity of the treasury controls, the scale of the loss, and the lack of clarity over whether funds could be recovered or compensated for in the future.
In response, Step Finance activated emergency protocols and began working with external cybersecurity specialists. The team said it had contacted “top security professionals” and notified relevant authorities while attempting to contain the situation. According to its public statements, the platform focused first on securing remaining wallets, auditing access routes used in the attack, and tracing the movement of the stolen SOL across the Solana network.
Impact on linked protocols and questions around security
The compromise of Step Finance treasury wallets had consequences beyond the project itself. Remora Markets, a connected protocol, disclosed that it had been affected because Step Finance acted as the majority liquidity provider. The Remora team stated that some of the impacted assets included Remora rStocks, tying the breach directly to its own operations.
Despite this exposure, Remora told users that its assets remained fully backed, stating that holdings were kept 1:1 in its brokerage account. The protocol said it was building a process to handle redemptions in light of the disruption caused by the hack of Step Finance treasury wallets. Even with those assurances, the link between the two platforms fueled additional unease among investors trying to assess the downstream risks of the incident.
The market’s verdict on Step Finance itself was swift and severe. The collapse in the STEP token’s price illustrated how quickly sentiment can shift when core project wallets come under attack. While the team insisted that no smart contract vulnerability had been exploited and that the attacker instead obtained wallet access, speculation grew over how such access was achieved and whether internal controls had been adequate.
This uncertainty fed into broader debates within the Solana and DeFi communities about operational security for treasury holdings. When a protocol’s core wallets are breached, users and counterparties often struggle to distinguish between external compromise, internal misconduct, or a mixture of the two. In the Step Finance case, these questions remained open as investigations proceeded, adding another layer of risk perception around Solana-based platforms already dealing with prior high-profile incidents.
Step Finance treasury wallets hack within January’s wider DeFi losses
The attack on Step Finance treasury wallets formed part of a much larger pattern of crypto security incidents in January 2026. CertiK’s comprehensive security review for the month estimated that around $370.3 million had been lost to exploits across the industry. These events involved multiple attack vectors, from phishing schemes to conventional smart contract vulnerabilities.
CertiK’s breakdown showed that phishing-related incidents accounted for $311.3 million of the January total, while code-based exploits contributed another $51.5 million. Several major cases stood out: Truebit suffered a $26.6 million smart contract exploit; SwapNet reported a $13.3 million breach affecting Matcha Meta users; Saga was hit by a $6.2 million exploit that led it to pause the SagaEVM chain; and Makina Finance recorded a $4.2 million loss due to flash loan manipulation. Against this backdrop, the roughly $30 million drained from Step Finance treasury wallets represented a sizeable share of the month’s DeFi-related damage.
The Solana ecosystem, in particular, has faced repeated security challenges. In September 2025, Swiss crypto platform SwissBorg lost $41.5 million worth of SOL after hackers compromised partner API provider Kiln. Two months later, in November 2025, South Korean exchange Upbit suffered a $36 million Solana exploit, coinciding with the six-year anniversary of its 2019 breach linked by authorities to North Korean actors. The Step Finance incident added another example of Solana-linked infrastructure facing significant losses, reinforcing concerns over how security practices are implemented across different layers of the ecosystem.
Beyond protocol and platform hacks, January also saw one of the largest individual crypto thefts on record. Blockchain investigator ZachXBT documented a case in which a victim lost more than $282 million in Bitcoin and Litecoin through a hardware wallet social engineering scam. This surpassed the earlier record of $243 million set in August 2024. According to the investigation, the attacker quickly began converting the stolen funds into Monero via multiple instant exchanges, obscuring movement across chains and complicating forensic efforts.
CertiK’s data indicated that despite the scale of recent incidents, only a small portion of the stolen funds had been recovered. The firm estimated that less than 2-5% of assets taken in January exploits had been clawed back, with many investigations still in their early stages. That low recovery rate underscored the difficulty of reclaiming funds once they are moved through mixers, privacy-focused assets, or complex cross-chain routes.
Even government-controlled assets came under scrutiny. The US Marshals Service confirmed an investigation into a possible intrusion involving federal digital-asset accounts. Patrick Witt, executive director of the President’s Council of Advisors for Digital Assets, said that government seizure addresses were among wallets from which more than $60 million was stolen in late 2025. This revelation illustrated that the security issues facing the crypto sector extended beyond commercial and DeFi platforms to public-sector holdings as well.
Conclusion
The compromise of Step Finance treasury wallets, resulting in the loss of approximately 261,854 SOL worth about $30 million, has become a focal point in a month already marked by heavy DeFi and crypto security losses. The episode triggered a collapse in the STEP token, affected linked protocols such as Remora Markets, and raised unresolved questions about whether the breach stemmed from external compromise, internal failings, or both. Set against CertiK’s estimate of $370.3 million lost to various exploits in January 2026, and alongside previous Solana-related hacks and record-setting individual thefts, the Step Finance case underscores how treasury controls, staking authorizations, and wallet management remain critical pressure points across the digital asset sector.
Disclaimer
The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from CryptoNewsBytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.
Featured image created by AI
Subscribe To Our Newsletter
Join our mailing list to receive the latest news and updates from our team.