Step hackers sold SOL cashing out 21.4 million dollars.

CN
5 hours ago

On July 5, 2026, an old address that had been long dormant in the Solana ecosystem suddenly "awoke": According to on-chain analysis platform Lookonchain, a hacker who had attacked the Solana DeFi project Step Finance in 2022, after about five months of relative silence, sold off all 261,933 SOL in the address at once, cashing out approximately $21.4 million. This fund was then swiftly transferred across chains to the Ethereum network, where 12,128 ETH was concentrically purchased on-chain, and almost immediately deposited into the privacy mixing protocol Tornado Cash. Unlike ordinary profit-taking, this complete path—from attack earnings to cross-chain purchases and then to privacy mixing—was explicitly labeled as proceeds from the historical vulnerability attack on Step Finance. Tornado Cash itself has long been in the spotlight of public opinion and regulation due to U.S. Treasury sanctions, bringing back two old issues: one is that DeFi projects' old vulnerabilities are still bleeding, and the other is the increasingly sharp debate over whether privacy protocols are user protection tools or hackers’ money laundering shelters.

Sudden Dump After Five Months of Silence: The Hacker's Timing Choice

According to Lookonchain, the address associated with the historical attack on Step Finance experienced no asset movements of similar scale during the approximately five months prior to this action; the 261,933 SOL earned from the attack had "been lying dead" for a long time. This long period of relative silence narratively resembles a deliberate lurking: neither making small trial withdrawals nor reducing holdings in batches, but instead choosing to dump all chips at once on July 5, 2026, cashing out approximately $21.4 million, instantly switching from holding status to clearing out.

The reason for choosing to clear out at this moment may include various dimensions of judgment by the hacker. First, from the perspective of the market environment, the five-month wait might have been to avoid certain short-term fluctuations, enabling quick entry and exit within a self-assessed acceptable price range; second, the attack on Step Finance, as an old news story, has clearly seen a decline in its public attention, as the focus of the project and users has been redirected to newer security incidents, possibly seen by the hacker as a signal of decreasing interference from the "old case" label. But the more critical backdrop is policy risk: Tornado Cash has long been listed on the U.S. Treasury’s sanctions list, and the debates surrounding its legality and privacy value continue to this day. The hacker still chose to send the 12,128 ETH obtained across chains entirely into Tornado Cash at this regulatory shadow juncture, demonstrating a risk assessment leaning toward "controllable risk." With this timing choice, the address’s transition from long-term lurking to sudden action not only reflects a technical operation of money laundering and asset transfer but also serves as a bet colored by subjective risk judgment, compelling regulators and market participants to reassess how such long-dormant addresses might influence the on-chain risk landscape in the future.

From Solana to Ethereum: The Cross-Chain Path of Illicit Funds

After completing the one-time sale of 261,933 SOL, this batch of approximately $21.4 million did not remain in the Solana ecosystem for long. On-chain records show that the hacker first exchanged SOL for more easily transferable "stable assets" on the Solana side and used an unnamed cross-chain channel to transport the chips from the Solana mainnet to the Ethereum network. While the briefing did not disclose specific names of the cross-chain bridge or DEX, it has been confirmed that the funds did complete a cross-chain migration from Solana to Ethereum, which opened a technical entry for the subsequent money laundering path.

Upon arriving on Ethereum, the role of the funds transformed: the hacker used the cross-chain chips to purchase 12,128 ETH on the Ethereum side, converting the illicit gains from "SOL earned from the attack" into "mainstream on-chain asset ETH," and then pushed the entire amount into Tornado Cash. According to monitoring from the on-chain analysis platform Lookonchain, this path—from asset sale and cross-chain migration to ETH purchase and mixing—formed a relatively complete multi-chain route. The cross-chain bridge and multi-chain assets acted as "transport hubs," allowing illicit funds to switch rapidly between different public chains in terms of pricing and form, also significantly increasing the difficulty of tracking—investigators not only needed to reconstruct the transaction chains on a single chain but must also connect addresses and timelines across different networks to piece together this complete money laundering path from Solana to Ethereum and then into the privacy protocol.

Tornado Cash Still Preferred by Hackers Despite Sanctions

According to AiCoin's compilation of publicly available on-chain data from Lookonchain, after the completion of this sale, the hacker used the funds obtained through cross-chain to buy 12,128 ETH on Ethereum, which was then immediately deposited into the well-known privacy mixing protocol Tornado Cash established on Ethereum. For assets explicitly marked as derived from the historical attack on Step Finance, this step is almost textbook "standard procedure": mixing the coins to sever the direct visible connection between addresses, allowing the attack in 2022 and the concentration disposal on July 5, 2026, to appear as two unrelated narratives of funds on-chain.

The contradiction lies in the fact that Tornado Cash has long been listed on the U.S. Treasury's sanctions list, with debates regarding "freedom of code" and "compliance responsibility" continuing for years. Yet, it keeps reappearing in the follow-up funding paths of several public attack cases and is viewed by the security community as a staple in the hacker toolkit. On one side are regulatory pressures and compliance demands, while on the other side is a strong demand from on-chain users (including attackers) for transaction privacy: any protocol that can create ambiguous space on a public ledger has gained stubborn durability in practical use. The Step attack-related address's choice of Tornado Cash once again, not only serves to cover the illicit funds but also reminds the market that without more detailed institutional and technical arrangements, the gray role of privacy protocols will continue to linger at the intersection of attacks, money laundering, and the ordinary user’s privacy protection.

Old Wounds of Step Finance Security and the Recovery Dilemma

If this sale of 261,933 SOL is viewed as an endpoint, its true starting point is still in 2022. Step Finance, as a DeFi project deployed in the Solana ecosystem, lost a significant amount of user funds due to a vulnerability attack back in the day. The relevant addresses of the attackers did not clear their holdings in the short term but instead chose to hold back a portion of the illicit funds for an extended period, only concentrating their efforts in 2026. According to on-chain analysis platform Lookonchain, the assets sold and transferred across chains in this action are explicitly marked as proceeds from the attack that occurred that year, not from the project's normal operational income. This means the current "cash-out" is not a usual asset restructure but rather a disposal of criminal proceeds delayed by four years, indicating that the old wounds have not healed on the ledger.

From the occurrence of the 2022 event to the sporadic activity of the attacking address in the first half of 2026, maintaining relative silence for about five months to the sudden sell-off of all chips and cross-chain purchase of 12,128 ETH rushed into Tornado Cash on July 5, this funding path also delineates the boundaries of recovery in reality. Once illicit funds have crossed a bridge into another public chain, further fragmented and mixed by a sanctioned and controversial mixing protocol, even if the project parties and victim users possess publicly available evidence on-chain, they still face a series of legal and compliance hurdles regarding cross-jurisdictional coordination, asset source identification, and execution level cooperation. As of now, there has been no official or law enforcement response from Step Finance regarding this sale and money laundering incident in public materials, allowing users to see a brutal reality more directly: the consequences of security incidents do not automatically fade with market cycles. As long as illicit funds flow on-chain, historical attacks will persist in another form.

The Tug-of-War Between Privacy Protocols and Project Security Continues

From the historical illicit funds from the Step Finance attack lingering in Solana to the one-time sale of 261,933 SOL on July 5, 2026, the cross-chain conversion into 12,128 ETH on Ethereum, and then pushed entirely into Tornado Cash, this funding path nearly condenses the core contradictions of DeFi project security, cross-chain technology, and privacy protocols into a singular on-chain narrative: assets left behind due to vulnerabilities can be reactivated years later, cross-chain bridges and mainstream public chains provide convenient migration channels, while the controversial privacy mixing protocols are utilized by hackers as gateways for laundering. The latest visible link currently halts at Tornado Cash; whether there will be withdrawals afterward, whether it will be split into more new addresses, remains unanswered in public documents. In the coming period, whether hackers will withdraw ETH in batches from this protocol, or whether new addresses for dispersing illicit funds will emerge, will both be on-chain signals worthy of continuous monitoring. Equally important is whether Step Finance will actively disclose security upgrade plans, on-chain recovery paths, or other remedial measures, which will directly impact user confidence in the overall security structure of Solana DeFi. In this process, on-chain analysis platforms like Lookonchain provide a highly valuable transparency window based on public data for the outside world. However, there are still inherent limitations in terms of time delay, completeness of information, and data interpretation. This analysis mainly relies on a single monitoring source; thus, regarding the hacker's true motives and subsequent actions, we can only maintain a cautious observational stance within the boundaries of publicly available addresses and funding paths, reminding readers to maintain necessary skepticism and cross-verification awareness regarding any single source of data.

Join our community to discuss together and become stronger!
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2
On-chain Telegram community: https://t.me/AiCoinWhaleData
On-chain community: https://www.aicoin.com/link/chat?cid=N6OVMor5g
AiCoin On-chain Twitter: https://x.com/aicoinwhaledata

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To
APP

X

Telegram

Facebook

Reddit

CopyLink