Level Finance loses $30M in Solana Treasury wallet hack
Crypto journalist
Anas Hasan
Crypto journalist
Share
Step Finance, the main Solana DeFi platform, multiple vaults and payment wallets were compromised by a sophisticated attacker during Asia Pacific trading hours, resulting in the theft of 261,854 SOL tokens worth approximately $30 million.
The breach sent shockwaves through the Solana ecosystem as blockchain security firm CertiK reported that the stolen SOL was transferred to an unknown wallet address “after the transfer of the stake license”.
The incident immediately sparked market panic, with the platform's native STEP token plunging more than 90% within 24 hours.
While the team says no user funds were affected, questions remain as to whether the breach represents a genuine security breach or a hidden exit scam, especially since the attacker appeared to have direct wallet access rather than exploiting smart contract vulnerabilities.
Emergency response and damage control
Step Finance disclosed the security breach in a series of urgent social media posts, saying that “several of our accounts and wallets were compromised by a sophisticated actor” and confirmed that the attack used a “well-known attack vector.”
The platform immediately activated emergency protocols and contacted cyber security firms for assistance.
Solana media company Solana Flor's on-chain data shows that the stolen 261,854 SOL were “not held and moved by the risk,” suggesting that the attacker had permission to control stock operations.
The team has “notified the concerned authorities” and stressed that it is working round the clock with senior security professionals to take immediate corrective measures.
Ripple results in related protocols
The breach also affected related platforms, including Remora Markets, and extended beyond Step Finance's own operations.
According to the protocol, “most LPs, Step Finance experienced hacking of treasury wallets earlier today” with some of the affected assets including Remora rStocks.
Remora assured users that “Remora assets remain 1:1 in our brokerage account” while building a process to handle redemptions despite the incident.
The market's snap judgment on Step Finance came after a brutal price action, with the STEP token losing most of its value as traders fled amid uncertainty about the platform's future viability and the legitimacy of the breach.
January's constant wave of DeFi exploits
The Step Finance hack is the latest sign of what security firms have described as a devastating month for cryptocurrency security.
According to CertiK's overall security report for January 2026, “Combining all incidents in January, we confirmed ~$370.3M was lost to exploits” across multiple attack vectors.
Major January events include Trubit's $26.6 million smart contract exploit, SwapNet's $13.3 million breach that exposed Matcha Meta users, Saga's $6.2 million exploit that forced the Layer-1 protocol to halt its SagaEVM chain, and Makina Finance's $4.2 million loss in a flash loan scam.
According to Certike's analysis, phishing incidents accounted for $311.3 million in January losses, while code vulnerability attacks accounted for $51.5 million.
In particular, step-financing violations continue to be a concern affecting Solana-based protocols.
The Swiss crypto platform lost $41.5 million worth of Sol tokens in September 2025 after Swiss Borg hackers hacked its partner API provider Killin, while the South Korean exchange Upbit suffered a $36 million Solana exploit in November 2025, just as in 2015. In 2019, six years after the alleged hacking by North Korean actors.
Beyond individual protocol failures, January saw the largest single crypto theft of 2026, when victims lost more than $282 million in Bitcoin and Litecoin to hardware wallet social engineering fraud, according to blockchain researcher ZachXBT, surpassing the previous record of $243 million set in August 2024.
The attacker “immediately started converting the stolen assets into Monero in several quick exchanges” hiding his tracks on multiple blockchain networks.
CERTK data shows that despite these high losses, the recovery so far is less than 2-5% because in many cases the investigation has only started recently.
Even government-held crypto assets are being investigated, as the US Marshals Service confirmed that it is investigating hacking of federal digital asset accounts.
Patrick Witt, executive director of the Council of President's Advisors on Digital Assets, acknowledged that by the end of 2025, government-held addresses were among the wallets from which hackers stole more than $60 million.
Trending news, recommended popular crypto topics, price predictions
