The market does not fear the thief; it fears the thief who knows the latency of a liquidity pool.
Five months after the $21.4 million exploit of Step Finance—a Solana-based analytics dashboard—the hacker finally moved. Not with a panic dump, but with the precision of a macro trader executing a thesis. First, the SOL was converted to ETH through a series of decentralized swaps. Then, it was bridged to Ethereum Mainnet via an undisclosed cross-chain bridge. Finally, the entire sum was funneled into Tornado Cash, the sanctioned mixer that turns transaction history into a black hole.
Context
Step Finance, for those unfamiliar, is not a lending protocol or an AMM. It is a portfolio tracker, a window into your Solana holdings. The exploit itself, which occurred in early 2023, was a classic smart contract vulnerability—a reentrancy bug in the platform’s reward claim function that allowed an attacker to drain the treasury. The hacker walked away with 1.7 million SOL, worth roughly $21.4 million at the time. Then, nothing. For 156 days, the address sat dormant. No transfers, no mixing, no sign of life. The market largely forgot. Analysts moved on to the next flash loan attack.
Core
The decision to wait five months is not irrational. It is a deliberate optimization of a well-known game: the game of exit liquidity. By sitting on the asset, the hacker allowed the immediate shock to dissipate. The Solana price recovered from the incident’s initial dip. Chainalysis teams likely shifted focus to newer hacks. Most importantly, the wait gave the hacker time to structure a clean execution path.
Let us examine the actual mechanics. On-chain data reveals that the hacker’s address interacted with a Solana DEX aggregator—likely Jupiter—to swap the entire SOL stash for ETH. This is not a trivial trade; 1.7 million SOL at current prices (~$20) would be $34 million, but the original $21.4 million suggests the hacker sold at a lower price or through multiple routes. The choice of ETH over USDC or USDT is telling. ETH is the native asset of Ethereum, the only chain where Tornado Cash still operates with meaningful depth post-OFAC sanctions. Bridging to Ethereum through Wormhole or deBridge would take minutes. The hacker used a bridge that did not require whitelisting or KYC.
Then came the final act: depositing into Tornado Cash across multiple transactions. Each deposit of 100 ETH (roughly $170,000) creates a set of anonymity notes. The hacker made approximately 100 deposits to fully mix the funds. This is not sloppy work; it is compliance with the algorithm’s survival function. The Tornado Cash smart contract optimizes for chunk size to maximize privacy while minimizing gas costs.
The algorithm optimizes for survival, not for you. The hacker understood that.

Contrarian Angle
The prevailing narrative will be that this is a failure of DeFi security—another hacker gets away with millions. But consider a different lens: this is also a failure of regulatory overreach. By sanctioning Tornado Cash, the OFAC drove the mixer underground. But black markets are resilient. They adapt. The hacker’s behavior actually validates that the mixer remains the most efficient privacy tool. The regulation did not stop the hack; it only delayed the inevitable. And in that delay, the hacker learned patience.
Regulation is the lagging indicator of chaos. The real story here is that the hacker’s five-month silence is a mirror of institutional timing. In traditional finance, fund managers hold positions for quarters to avoid market impact. The hacker did the same. The difference? No SEC filing is required. No auditor asks questions. This is the ultimate under-the-radar macro trade: steal, wait, convert, hide. The market efficiency hypothesis applies even to illicit capital flows.
Takeaway
The Step Finance hack and its subsequent money laundering are not isolated incidents. They are a case study in how crypto-native thieves internalize the same principles that govern institutional trading: patience, multi-chain execution, and off-chain compliance avoidance. The next time you see a silent address holding millions, do not assume it is forgotten. The thief is just waiting for the optimal moment to exit. The liquidity pool is a mirror, not a vault. And right now, the mirror is reflecting a hacker who knows exactly how to break it.