Solana Hacker Moves Stolen Funds, Putting Tornado Cash Back Under Pressure
“A hacker linked to the Step Finance theft swapped stolen Solana into Ethereum and pushed the funds through Tornado Cash, making the money harder to follow.” The hacker who stole a large amount of Solana earlier this year has moved again. Five quiet months, then activity. The wallet sold its SOL, shifted the proceeds into Ethereum, and pushed them through Tornado Cash. That is the important part. Why does this matter? Because once funds enter a mixer, investigators may still have clues, but the clean block explorer trail starts to splinter. My take: this is a useful check on the lazy claim that “on-chain transparency” fixes everything. It does not. Especially when someone moves fast and already knows the exits.

“The wallet linked to the Step Finance attack became active after months of dormancy, sold 261,933 SOL for about $21.4 million, bridged the money to Ethereum, and deposited the resulting ETH into Tornado Cash.” The wallet tied to the Step Finance attack had been inactive for roughly five months. Then it woke up. On-chain data shows the attacker sold 261,933 SOL for about $21.4 million. The funds were bridged to Ethereum, used to buy 12,128 ETH, and then deposited into Tornado Cash. Not subtle. The route is familiar: sell the stolen asset, move chains, convert into something more liquid. After that, use a privacy tool to blur the trail. Analysts also noted that the SOL market absorbed the $21.4 million sale without a major sell-off, which removes one immediate worry for Solana holders. Still, the money left Solana. The chart did not panic. The flow still matters.
“Moving the funds to Ethereum and then into Tornado Cash makes the assets harder to track and puts new pressure on privacy protocols.” The Ethereum transfer is the real turn in the story. Once the attacker converted the funds and sent them into Tornado Cash, tracing became harder. Not impossible. Just harder. Most guides talk about mixers as if they make stolen funds vanish. That is only half right. They raise the cost of investigation, and sometimes that is enough. The SEC, OFAC, and regulators outside the United States have been watching privacy tools, exchanges, and KYC/AML controls closely because criminals keep using these routes. A case like this can feed more delistings, tighter exchange screening, or new limits on services that touch mixed funds. I will be honest: I do not think every privacy tool should be treated as criminal by default. But transactions like this make that argument much harder to sell in public.
“In January 2026, Step Finance said attackers accessed platform wallets and withdrew about 261,854 SOL. The later move into ETH and Tornado Cash shows why Ethereum still attracts large, complicated crypto flows.” Step Finance suffered the breach in late January 2026. According to the project’s post-mortem, attackers took over administrative devices, accessed treasury and fee wallets, and withdrew about 261,854 SOL. At the time, the stolen funds were worth roughly $27 million to $30 million. STEP then fell by more than 80%. The later move from SOL into ETH says something uncomfortable about market structure. The attacker did not choose an obscure privacy coin for the final step. They chose Ethereum because it has deep liquidity, broad bridge access, and Tornado Cash infrastructure already in place. Counter to the usual tribal reading, that does not make Ethereum “bad.” It means Ethereum is still where a lot of crypto money goes when the trade is large, messy, or both. Solana may compete on speed and developer activity. For this kind of exit route, though, Ethereum is still the obvious highway.
What this means
“Attackers are still using privacy protocols to hide stolen funds, which keeps creating problems for blockchain analytics teams and law enforcement.” The lesson is blunt: hackers will keep using privacy protocols when enough money is involved. Tornado Cash has been sanctioned and watched for years, yet it still works well enough that attackers return to it. Is this surprising? Not really. For investors, the Step Finance case is less about one wallet and more about operational risk. Protocol security matters. Admin-device security matters. Treasury controls matter. Traceability matters too. A public blockchain does not magically stop laundering once funds move across chains and through mixers. Yes, this cuts against the cleaner “transparent ledgers solve crime” pitch. Bear with me: transparency helps, but it is not a handcuff. SOL avoided an immediate sell-off from this sale, but repeated events like this can still damage confidence. People remember where the money was stolen, even if it later disappears into Ethereum.
“The next thing to watch is whether regulators take new action against Tornado Cash, similar privacy tools, exchanges, or DeFi protocols that interact with mixed funds.” The next signals will probably come from regulators and from the chain data itself. If the SEC, OFAC, or another agency announces new action tied to Tornado Cash or mixed funds, DeFi projects and exchanges may tighten their own rules quickly. Liquidity providers could get nervous. Legitimate users could get caught in the mess too. That part gets ignored until it happens. I would watch the attacker’s wallet cluster after the Tornado Cash deposits, because mixers make tracing harder but do not erase every mistake. One sloppy withdrawal can matter. So can a reused address or an exchange deposit. Privacy focused tokens may also feel pressure if this story keeps spreading, because markets do not always separate one privacy tool from the rest.
