Step Finance, a well-known Solana analytics hub, said its coffers were hit overnight major infringement causing 261,854 SOL to be emptied from wallets linked to the platform.
The loss forced a sharp reaction from the market, and users and investors saw prices plummet as the team acted quickly to limit the damage.
Based on reports approximately 261,854 SOL were not deployed and deplatformed on January 31, 2026, an amount worth approximately $27 million to $30 million at the time.
Breach affects Step Finance Treasury
Detectives were immediately called in. According to the platform’s public posts, security specialists and third-party companies help track the funds. Some transfers were clearly visible in the public ledgers; they could be tracked from the compromised wallets to a series of addresses that started converting SOL.
#CertiKInsight 🚨
We’ve seen a security breach @StepFinance_ treasury wallets.https://t.co/Zi3tMKaTqE
261,854 SOL (~$28.9 million) withdrawn after stake authorization was transferred tohttps://t.co/o51kREYPHW
Stay vigilant! pic.twitter.com/GrxpyzI2Uv
— CertiK Alert (@CertiKAlert) January 31, 2026
Questions remain about how access was gained. It is not yet clear whether private keys were stolen, a staking routine was abused, or an internal process failed. The exact technical route is still being put together.
Image: CMIT Solutions
Indications in the chain and market effects
The markets reacted violently. The platform’s governance token fell hard, with prices falling more than 80% in minutes as panic spread. Traders sold quickly. Price books have thinned out.
Based on reports from on-chain trackers, several large unstake transactions and swaps were executed in a short period of time.
Some of the moved SOL was routed to exchanges, while other amounts were distributed to different wallets, a pattern that observers often link to attempts at payout without attracting attention.
Earlier today during APAC hours, several of our treasury portfolios were compromised by a sophisticated actor. This was an attack facilitated via a known attack vector.
Immediate remedial action has been taken and we are working closely with the best security professionals.…
— Step☀️ (@StepFinance_) January 31, 2026
Community fear and operational response
Step Finances emergency measures announced to protect remaining funds. Access to certain treasury functions was restricted and multisig controls were revised.
Accounts under direct protocol control were frozen where possible. The company said it was cooperating with authorities and sharing the findings with the wider Solana community.
At the same time, public channels were used to provide updates as they became available, although many technical details were deliberately withheld to avoid notifying the attacker.
Recovery steps and unknowns
A handful of security companies are conducting forensic investigations into the transactions. Evidence in the chain will be critical to any attempt to recover assets.
Reports note that tracing is a step; getting money back is another thing. Legal and regulatory routes can be explored if identifiable intermediaries or exchanges are used to move the stolen value.
Whether user funds outside the treasury were touched was a major concern, and the company would clarify that issue.
Featured image from Unsplash, chart from TradingView
Editing process for bitcoinist is focused on providing thoroughly researched, accurate, and unbiased content. We have strict sourcing standards and every page is carefully reviewed by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance and value of our content to our readers.
#Step #Finance #affected #Treasury #breach #nets #million