Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
Step Finance, a prominent DeFi platform on Solana, has confirmed that several treasury and fee wallets were breached by a sophisticated attacker during trading hours in the Asia-Pacific region, leading to the theft of approximately 261,854 SOL tokens valued at around $30 million.
This breach sent tremors throughout the Solana ecosystem as the blockchain security firm CertiK reported that the stolen SOL “was withdrawn after stake authorization had been transferred” to an unidentified wallet address.
The event sparked immediate market turmoil, with the platform’s native STEP token plummeting by more than 90% within just 24 hours.
Source: CoinGecko
While the team maintains that user funds were not impacted, uncertainty lingers regarding whether the breach signifies a true security lapse or a covert exit scam, especially given that the attacker seemed to have direct access to wallets instead of exploiting vulnerabilities within smart contracts.
Earlier today, several of our treasury wallets fell victim to a sophisticated actor during APAC hours. This was an attack carried out using a well-known attack vector.
We have taken immediate remediation measures and are collaborating closely with leading security experts.…— Step
(@StepFinance_) January 31, 2026
(@StepFinance_) January 31, 2026Emergency Measures and Damage Control
Step Finance announced the security breach through a series of urgent social media updates, stating that “multiple treasury and fee wallets were compromised by a sophisticated actor” and confirming that the attack utilized “a well-known attack vector.”
The platform promptly initiated emergency protocols and sought assistance from cybersecurity firms.
Solana media outlet Solana Floor reported that on-chain data indicated the stolen 261,854 SOL was “unstaked and transferred during the incident,” implying that the attacker had gained authorization to manage staking operations.
The team highlighted that it had “informed the relevant authorities” and executed immediate remediation steps while working tirelessly with top security professionals.
We are reaching out to cybersecurity firms for assistance.
Any firms that can help are welcome to slide into DMs https://t.co/uNN5l6TYVL— Step
(@StepFinance_) January 31, 2026
Aftershocks Across Associated Protocols
The breach affected not only Step Finance but also connected platforms, including Remora Markets.
The protocol revealed that as “majority LP, Step Finance suffered a hack of treasury wallets earlier today,” with some impacted assets including Remora rStocks.
Remora reassured its users that despite the incident, “Remora assets remain secured 1:1 in our brokerage account” while developing a process for managing redemptions.
Related Posts
The market’s rapid response to Step Finance was evident in the severe price fluctuations, with the STEP token losing a significant portion of its value as traders fled amid concerns regarding the platform’s future stability and the authenticity of the breach.
Remora Markets majority LP, Step Finance experienced a hack of treasury wallets earlier today. Some of the assets involved in the incident are Remora rStocks.
An investigation is currently in progress. Remora assets remain held 1:1 in our brokerage account. A process for handling…— Remora Markets (@RemoraMarkets) January 31, 2026
January’s Unyielding Wave of DeFi Exploits
The Step Finance breach is the latest in what security firms characterize as a catastrophic month for cryptocurrency security.
According to CertiK’s detailed security report for January 2026, “when aggregating all incidents in January, we’ve confirmed approximately $370.3 million lost to exploits” across various attack vectors.
Major incidents in January included Truebit’s $26.6 million smart contract exploit, SwapNet’s $13.3 million breach affecting Matcha Meta users, Saga’s $6.2 million exploit that forced the Layer-1 protocol to halt its SagaEVM chain, and Makina Finance’s $4.2 million loss due to flash loan manipulation.
CertiK’s findings indicated that phishing incidents accounted for $311.3 million of January’s total losses, while attacks exploiting code vulnerabilities totaled $51.5 million.
#CertiKStatsAlert
Combining all the incidents in January, we’ve confirmed approximately $370.3 million lost to exploits.
Around $311.3 million of the total is attributed to phishing, with one victim losing approximately $284 million due to a social engineering scam.
More details belowpic.twitter.com/uXhi0P6dl5
— CertiK Alert (@CertiKAlert) January 31, 2026
Importantly, the Step Finance breach continues a concerning trend impacting Solana-based protocols.
Swiss crypto platform SwissBorg suffered a loss of $41.5 million in SOL tokens in September 2025 after hackers breached the partner API provider Kiln, while South Korea’s Upbit exchange experienced a $36 million Solana exploit in November 2025, exactly six years after its 2019 hack attributed to North Korean actors.
In addition to individual protocol failures, January also saw the largest single crypto theft of 2026, with a victim losing over $282 million in Bitcoin and Litecoin through a hardware wallet social engineering scam, as blockchain investigator ZachXBT noted, surpassing the previous record of $243 million set in August 2024.
The attacker “quickly began converting the stolen assets into Monero through various instant exchanges,” obscuring the trail across multiple blockchain networks.
CertiK’s data indicates that despite these enormous losses, less than 2-5% has been recovered thus far, as investigations into many incidents have only recently commenced.
Even government-held crypto assets faced scrutiny, as the US Marshals Service confirmed it is probing a potential hack of federal digital-asset accounts.
Patrick Witt, executive director of the President’s Council of Advisors for Digital Assets, acknowledged that the government seizure addresses were among the wallets from which hackers stole more than $60 million in late 2025.
The post $30M Stolen as Step Finance Treasury Wallets Compromised appeared first on Cryptonews.
