The person (or persons) who drained Step Finance of roughly 261,854 SOL tokens has moved to the next phase of every crypto heist playbook: the laundering stage. The exploiter sold a significant chunk of stolen SOL, bridged $21.4 million to Ethereum, purchased ETH, and funneled the proceeds through Tornado Cash.
What happened at Step Finance
Step Finance, a DeFi portfolio management platform built on Solana, was hit on January 31 when attackers gained unauthorized access to treasury and fee wallets. The haul came to approximately 261,854 SOL, worth somewhere between $27 million and $30 million at the time of the breach.
The attack vector was compromised executive team devices, likely through phishing or social engineering. The smart contracts worked fine. The people managing them did not.
Total losses ballooned to around $40 million when accounting for the full impact, with only about $4.7 million recovered through partnerships and features like Token22. That recovery rate, roughly 12% of total losses, is not exactly a victory lap.
By late February, Step Finance ceased operations entirely. Its affiliates, SolanaFloor and Remora Markets, also shut down as the fallout spread. The project announced plans for a buyback based on a pre-hack snapshot of the STEP token.
Following the money across chains
The on-chain data, flagged by Arkham Intelligence, paints a clear picture of the attacker’s exit strategy. After sitting on the stolen SOL, the exploiter began selling, converting roughly $21 million worth of tokens before bridging $21.4 million over to Ethereum.
Once on Ethereum, the funds were swapped into ETH and then routed through Tornado Cash. The US Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash back in 2022, though those sanctions have faced significant legal challenges. The protocol continues to function because it’s a set of smart contracts on Ethereum that nobody can unilaterally shut down.
What investors should watch
The $4.7 million recovery represents a fraction of total losses, and the movement of funds through Tornado Cash suggests that further recovery through on-chain means is unlikely without law enforcement intervention. Historically, funds that make it through mixing protocols are rarely clawed back unless the attacker makes an operational mistake later, like cashing out through a centralized exchange with KYC requirements.
The planned STEP token buyback based on a pre-hack snapshot is worth monitoring, though with the project’s operations ceased and affiliates shut down, the entity executing any buyback may have limited resources to work with.
The attacker’s decision to convert stolen SOL into ETH before laundering signals a practical reality about cross-chain liquidity. Ethereum’s deeper liquidity pools and more established mixing infrastructure make it the preferred destination for laundering large sums, which means that exploits on alternative L1s frequently end up impacting Ethereum’s on-chain analytics landscape as well.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

1 hour ago
24









English (US) ·