Step Finance Hack: $40M Stolen, Platform Shuts Down Permanently

Step Finance hack infographic showing $40 million stolen from Solana DeFi platform leading to permanent shutdown

Table of Contents

Step Finance Hack: $40M Stolen, Platform Shuts Down Permanently

⚡ Key Highlights

Step Finance confirmed a $40 million security breach on January 31, 2026, when attackers compromised executive-level devices and drained treasury and fee wallets
The Step Finance hack targeted operational infrastructure, not smart contracts . The platform’s on-chain code was never touched
Approximately 261,854 SOL was unstaked and transferred out, initially valued at $27 to $30 million. A full audit later confirmed total losses near $40 million
The team recovered roughly $4.7 million using Solana’s Token22 protections and partner coordination. Not nearly enough
The STEP token collapsed more than 97% following the breach, making fundraising and recovery impossible
On February 23, 2026, Step Finance announced the permanent shutdown of its core platform, SolanaFloor, and Remora Markets
A STEP buyback program is being prepared based on a pre-hack snapshot. Remora rTokens remain 1:1 backed and redeemable for USDC

Step Finance Hack: The $40 Million Breach That Ended Solana’s Front Page

The Step Finance hack has claimed one of the Solana ecosystem’s most widely used platforms. Step Finance called itself the front page of Solana, and for millions of DeFi users, that was not an exaggeration. It was the first tab you opened to check your portfolio, track your yields, and make sense of an ecosystem that moves faster than most people can follow. On February 23, 2026, that tab went dark for good.

The Step Finance hack on January 31, 2026 drained roughly $40 million from the platform’s treasury and fee wallets. It did not exploit a smart contract vulnerability. It did not find a flaw in the Solana protocol. It compromised the personal devices of people on the executive team, used their credentials to authorize transactions, and moved hundreds of thousands of SOL before anyone could stop it. The platform spent weeks trying to find a way back. There was none.[Crypto.news]

$40M

Total Stolen

261,854

SOL Unstaked & Moved

$4.7M

Recovered

97%+

STEP Token Decline

Platforms Shut Down

What Was Step Finance?

Step Finance launched in 2021 as Solana was experiencing its first major wave of DeFi growth. Where most platforms asked you to go protocol-by-protocol to check your positions, Step brought everything into one dashboard: your staked SOL, your liquidity pool positions, your yield farms, your token balances across wallets. It became essential infrastructure for serious Solana users and grew to millions of active accounts at its peak.

Over time the team expanded. SolanaFloor became one of the most-read media and data outlets covering Solana NFTs and ecosystem news. Remora Markets pushed into tokenized real-world assets, offering users exposure to equity-style instruments on-chain. The STEP token, once trading above $10 at the height of the 2021 bull market, underpinned a staking model that returned fees to long-term holders.

By early 2026, Step Finance was not the flashiest project in the Solana ecosystem, but it was one of the most embedded. Losing it is not just a financial story. It is an infrastructure story.

How the Step Finance Hack Unfolded on January 31, 2026

During APAC trading hours on January 31, 2026, attackers gained control of devices belonging to members of Step Finance’s executive team. Using those compromised credentials, they accessed the platform’s treasury and fee wallets and began moving funds.

The first sign something was wrong came from on-chain watchers who spotted large, rapid SOL unstaking movements. Step Finance confirmed the breach publicly within hours.

“In the early afternoon hours of 31 January (APAC), approximately $40M was drained from the Step Finance treasury. This was a result of our executive team’s devices being compromised.”
– Step Finance official statement via X, January 31, 2026

Approximately 261,854 SOL was unstaked and transferred out. At the time of the attack, that SOL was worth between $27 million and $30 million. A full post-incident review later placed total losses across all asset types at close to $40 million, accounting for other treasury holdings beyond SOL that were also drained.[SC Media]

Key Point: The platform’s smart contracts were not touched. The Solana network itself was not affected. This was not a protocol hack. It was a people hack.

Step Finance Hack: Executive Device Compromise Explained

The root cause of the Step Finance hack was endpoint compromise at the executive level. The personal or work devices of senior team members were breached, giving attackers the ability to sign and broadcast transactions as if they were authorized team members.

This attack vector typically works through one of several methods:

Targeted spear-phishing emails that install credential-harvesting malware
Trojanized software updates pushed to specific targets
In some cases, physical device access or session hijacking

The attackers did not need to break Solana’s cryptography. They just needed the right person’s device and the right moment.

Once inside, the movement was fast and coordinated. SOL was unstaked in large batches and swept out before the team could respond. Step Finance engaged cybersecurity professionals immediately and used Solana’s Token22 protections in coordination with partners to freeze and recover approximately $4.7 million. Around $3.7 million in Remora-related assets and roughly $1 million elsewhere. Against $40 million in total losses, it was not enough.[CoinTelegraph]

🔍 Why Executive Device Compromises Are So Dangerous

Executive devices are prime targets because they carry elevated access privileges, including the ability to authorize transactions, modify platform controls, and access treasury wallets. When these devices are compromised, attackers bypass every on-chain security measure. A compromised seed phrase or active session on an executive laptop is all it takes to drain an entire treasury in minutes.

This is the same attack pattern seen in the Raydium trojan attack (December 2022, $4.4M lost) and the Bybit executive device compromise (February 2025, $1.46B lost). The difference is scale, Step Finance’s treasury concentration made the damage terminal.

Step Finance Hack Timeline: From Breach to Shutdown

January 31, 2026: Breach Detected

Attackers compromise executive devices during APAC hours. 261,854 SOL unstaked and moved. Breach detected and publicly confirmed by Step Finance same day.

Early February 2026: Recovery Efforts Begin

Team recovers ~$4.7M via Token22 protections and partner coordination. Financing and acquisition discussions begin with potential investors and acquirers.

February 1 to 22, 2026: Token Collapse, No Path Forward

STEP token collapses more than 97%. Multiple potential investors and acquirers approached. No viable path forward identified. Crypto investor Mike Dudas says he was contacted about a bridge round but requested a security post-mortem and received no response.[CoinTelegraph]

February 23, 2026: Permanent Shutdown Announced

Step Finance announces permanent shutdown of core platform, SolanaFloor, and Remora Markets via X. Buyback and redemption processes confirmed.

February 24, 2026 onward: Wind-Down Begins

SolanaFloor digital archive to remain accessible. Details on STEP buyback mechanics and Remora USDC redemption process forthcoming.

Full Financial Impact of the Step Finance Hack

The headline figure from the Step Finance hack is $40 million, but the actual damage to the ecosystem is harder to quantify in dollar terms alone.

Direct financial losses: Approximately 261,854 SOL plus additional treasury holdings across other asset classes, totalling close to $40 million at the time of the attack. Of that, roughly $4.7 million was recovered. The net loss was in the region of $35 million.

STEP token damage: The token fell more than 60% in the hours following the breach announcement, then continued declining as recovery hopes faded. By the time the shutdown was confirmed on February 23, STEP had lost more than 97% of its pre-hack value, trading near $0.00057. Down from an all-time high of $10.20 in August 2021.[CoinDesk]

Platform losses: SolanaFloor closes as one of Solana’s most-read media outlets. Remora Markets shuts before reaching its potential as a tokenized real-world asset product. Users who relied on Step Finance daily to track positions across Solana DeFi now have to piece together alternatives.

⚠️ Important: No user funds held in personal wallets connected to the platform were at risk. The breach targeted only wallets controlled directly by the Step Finance team.

How the Step Finance Hack Compares to Prior Solana Security Incidents

Placing the Step Finance hack in context against prior Solana incidents shows what has. And what has not changed in the ecosystem.

📊 Major Solana Security Incidents: Comparative View

Incident	Date	Loss	Attack Type	Survived?
Wormhole Bridge	Feb 2022	~$320M	Smart contract exploit	Yes (Jump Trading covered)
Mango Markets	Oct 2022	~$116M	Oracle price manipulation	Partially (shut down Jan 2025)
Raydium	Dec 2022	~$4.4M	Trojan on pool manager device	Yes
Step Finance	Jan 2026	~$40M	Executive device compromise	No

What makes the Step Finance outcome particularly sobering is the contrast with Wormhole and Mango. In both those cases, the platforms had institutional backing or community resources to absorb the damage. Step Finance had neither the balance sheet nor the institutional support. The hack was survivable for a larger protocol. For Step Finance, it was terminal.

Response, Recovery, and the Decision to Shut Down

Step Finance did not give up quickly. The team spent nearly four weeks trying to find a way to keep the platform alive, bringing in security professionals, working with partners to recover funds, and holding conversations with potential investors and acquirers. The STEP token’s collapse made fundraising nearly impossible.

“Following the hack at the end of January we explored every possible path forward, including financing and acquisition opportunities. Unfortunately, we were unable to secure a sustainable outcome and have made the difficult decision to end all operations effective immediately.”
– Step Finance, X statement, February 23, 2026

As reported by CoinTelegraph, crypto investor Mike Dudas said he was contacted about participating in a bridge round but requested a security post-mortem and received no response. Step Finance co-founder George Harrap said some parties had reached out about acquiring parts of the business, but the team was on a time crunch.

What STEP and Remora Token Holders Should Do After the Step Finance Hack

If you hold STEP tokens or Remora rTokens, here is what has been confirmed:

1️⃣ STEP Token Holders: Buyback Coming

A buyback program is being developed based on a snapshot of holdings taken before the January 31 breach. Full mechanics and timing have not yet been disclosed. Monitor the official @StepFinance_ account on X for updates. Be extremely cautious of any unofficial links, Discord messages, or emails claiming to offer early access to the buyback. This type of shutdown attracts scammers immediately.

2️⃣ Remora rToken Holders: Full 1:1 Redemption

Remora Markets has confirmed that all rTokens remain fully backed on a one-to-one basis. A redemption process is being prepared that will allow holders to exchange rTokens for USDC at full backing value. More details expected in the coming weeks.

3️⃣ SolanaFloor: Archive Only

The media outlet is shutting down active publication but plans to maintain a digital archive of existing content.

4️⃣ Step Finance Dashboard: Access Ended

Dashboard access has ended immediately. If you tracked positions through Step, you will need to use alternative portfolio trackers for Solana DeFi.

What the Crypto Industry Should Learn From the Step Finance Hack

The Step Finance hack is the latest in a clear pattern. Smart contract audits are table stakes now. The attack surface has shifted. The soft targets in 2025 and 2026 are the humans with the keys, the devices those humans use, and the operational practices that govern treasury access.

261,854 SOL moved because someone on the executive team had inadequate endpoint security. Not because Solana failed. Not because Step Finance’s smart contracts were buggy. Because a person with access to a treasury wallet was using a device that an attacker was able to compromise.

📊 Crypto Security Context: 2025 to 2026

$2.2B

Lost to infrastructure attacks in 2025

76%

Of all stolen crypto from people/process attacks

$3.4B

Total crypto theft in 2025 (Chainalysis)

Source: TRM Labs 2026 Crypto Crime Report | Chainalysis

🛡️ Critical Security Lessons

Multi-signature treasury access: Treasury operations should require authorization from multiple independent keyholders, on hardware wallets, never on internet-connected devices
Executive endpoint security: Devices with treasury access need endpoint detection software, strict software policies, and regular security audits
Treasury compartmentalization: Funds should be diversified across multiple wallets so a single compromised account cannot drain the entire operating budget
Insurance and emergency reserves: Projects should carry explicit coverage that can sustain operations through a breach

This is the same lesson the Bybit team learned in February 2025 at a cost of $1.46 billion, and the same pattern we documented in the Figure Technology data breach just weeks ago. The attack vector is consistent: compromise the person, not the protocol.

Frequently Asked Questions

❓ Were Step Finance’s smart contracts hacked?

No. The Step Finance hack targeted executive devices and operational infrastructure. The platform’s on-chain smart contracts and the Solana network itself were not compromised.

❓ Were user wallet funds at risk?

No. Only wallets controlled directly by the Step Finance team were affected. Funds in personal wallets connected to the dashboard were not at risk.

❓ Will STEP token holders be compensated?

A buyback program is being developed based on a snapshot taken before the January 31 hack. Details on mechanics and timing have not yet been disclosed. Follow @StepFinance_ on X for official updates.

❓ Are Remora rTokens still safe?

Yes. Remora Markets confirmed all rTokens remain fully backed 1:1. A USDC redemption process is being prepared.

❓ Is SolanaFloor still accessible?

SolanaFloor has stopped publishing new content but will maintain its existing website, videos, and newsletters as a digital archive.

Conclusion

Step Finance was genuinely useful. In a space crowded with projects that overpromise and underdeliver, a dashboard that millions of people used daily because it made their crypto lives easier is worth noting. Its loss is not just a number on a losses tracker.

The Step Finance hack cost $40 million and ended three platforms that were meaningful parts of the Solana ecosystem. The team is handling the wind-down responsibly with buybacks, redemptions, and an archive. That does not make the outcome less painful for people who held STEP or built products around the ecosystem Step Finance helped define.

What it does do is add another data point to an industry-wide lesson that is still not fully learned. Solana’s smart contracts are not the problem. The problem is the people holding the keys, the devices those people use, and the operational cultures that treat treasury security as an afterthought until the morning everything is gone.

This article will be updated as further details on the STEP buyback mechanics and Remora redemption process are confirmed. Follow official channels at @StepFinance_ on X for the latest updates.

⚠️ Scam Warning: The Step Finance shutdown will attract impersonators offering fake buyback links and recovery services. Only trust announcements from the verified @StepFinance_ account on X. Never share seed phrases or approve unverified transactions.

📰 More on CryptoNewsBytes

Disclaimer: This article is based on publicly available statements and on-chain data as of February 24, 2026. It does not constitute financial or investment advice. The forensic investigation into the Step Finance hack is ongoing and some details may be revised as further information becomes available.

Arun

Cybersecurity Professional & Crypto Enthusiast | Principal & Founding Editor Hands-on cybersecurity expert and blockchain & crypto security leader, reporting on AI, crypto, blockchain, and emerging threats in the crypto space at CryptoNewsBytes since 2017.

See Full Bio