Step Finance Hack: $40M Stolen, Platform Shuts Down Permanently
β‘ Key Highlights
- Step Finance confirmed a $40 million security breach on January 31, 2026, when attackers compromised executive-level devices and drained treasury and fee wallets
- The Step Finance hack targeted operational infrastructure, not smart contracts . The platform’s on-chain code was never touched
- Approximately 261,854 SOL was unstaked and transferred out, initially valued at $27 to $30 million. A full audit later confirmed total losses near $40 million
- The team recovered roughly $4.7 million using Solana’s Token22 protections and partner coordination. Not nearly enough
- The STEP token collapsed more than 97% following the breach, making fundraising and recovery impossible
- On February 23, 2026, Step Finance announced the permanent shutdown of its core platform, SolanaFloor, and Remora Markets
- A STEP buyback program is being prepared based on a pre-hack snapshot. Remora rTokens remain 1:1 backed and redeemable for USDC
Step Finance Hack: The $40 Million Breach That Ended Solana’s Front Page
The Step Finance hack has claimed one of the Solana ecosystem’s most widely used platforms. Step Finance called itself the front page of Solana, and for millions of DeFi users, that was not an exaggeration. It was the first tab you opened to check your portfolio, track your yields, and make sense of an ecosystem that moves faster than most people can follow. On February 23, 2026, that tab went dark for good.
The Step Finance hack on January 31, 2026 drained roughly $40 million from the platform’s treasury and fee wallets. It did not exploit a smart contract vulnerability. It did not find a flaw in the Solana protocol. It compromised the personal devices of people on the executive team, used their credentials to authorize transactions, and moved hundreds of thousands of SOL before anyone could stop it. The platform spent weeks trying to find a way back. There was none.[Crypto.news]
What Was Step Finance?
Step Finance launched in 2021 as Solana was experiencing its first major wave of DeFi growth. Where most platforms asked you to go protocol-by-protocol to check your positions, Step brought everything into one dashboard: your staked SOL, your liquidity pool positions, your yield farms, your token balances across wallets. It became essential infrastructure for serious Solana users and grew to millions of active accounts at its peak.
Over time the team expanded. SolanaFloor became one of the most-read media and data outlets covering Solana NFTs and ecosystem news. Remora Markets pushed into tokenized real-world assets, offering users exposure to equity-style instruments on-chain. The STEP token, once trading above $10 at the height of the 2021 bull market, underpinned a staking model that returned fees to long-term holders.
By early 2026, Step Finance was not the flashiest project in the Solana ecosystem, but it was one of the most embedded. Losing it is not just a financial story. It is an infrastructure story.
How the Step Finance Hack Unfolded on January 31, 2026
During APAC trading hours on January 31, 2026, attackers gained control of devices belonging to members of Step Finance’s executive team. Using those compromised credentials, they accessed the platform’s treasury and fee wallets and began moving funds.
The first sign something was wrong came from on-chain watchers who spotted large, rapid SOL unstaking movements. Step Finance confirmed the breach publicly within hours.
“In the early afternoon hours of 31 January (APAC), approximately $40M was drained from the Step Finance treasury. This was a result of our executive team’s devices being compromised.”
– Step Finance official statement via X, January 31, 2026
Approximately 261,854 SOL was unstaked and transferred out. At the time of the attack, that SOL was worth between $27 million and $30 million. A full post-incident review later placed total losses across all asset types at close to $40 million, accounting for other treasury holdings beyond SOL that were also drained.[SC Media]
Step Finance Hack: Executive Device Compromise Explained
The root cause of the Step Finance hack was endpoint compromise at the executive level. The personal or work devices of senior team members were breached, giving attackers the ability to sign and broadcast transactions as if they were authorized team members.
This attack vector typically works through one of several methods:
- Targeted spear-phishing emails that install credential-harvesting malware
- Trojanized software updates pushed to specific targets
- In some cases, physical device access or session hijacking
The attackers did not need to break Solana’s cryptography. They just needed the right person’s device and the right moment.
Once inside, the movement was fast and coordinated. SOL was unstaked in large batches and swept out before the team could respond. Step Finance engaged cybersecurity professionals immediately and used Solana’s Token22 protections in coordination with partners to freeze and recover approximately $4.7 million. Around $3.7 million in Remora-related assets and roughly $1 million elsewhere. Against $40 million in total losses, it was not enough.[CoinTelegraph]
π Why Executive Device Compromises Are So Dangerous
Executive devices are prime targets because they carry elevated access privileges, including the ability to authorize transactions, modify platform controls, and access treasury wallets. When these devices are compromised, attackers bypass every on-chain security measure. A compromised seed phrase or active session on an executive laptop is all it takes to drain an entire treasury in minutes.
This is the same attack pattern seen in the Raydium trojan attack (December 2022, $4.4M lost) and the Bybit executive device compromise (February 2025, $1.46B lost). The difference is scale, Step Finance’s treasury concentration made the damage terminal.
Step Finance Hack Timeline: From Breach to Shutdown
Full Financial Impact of the Step Finance Hack
The headline figure from the Step Finance hack is $40 million, but the actual damage to the ecosystem is harder to quantify in dollar terms alone.
Direct financial losses: Approximately 261,854 SOL plus additional treasury holdings across other asset classes, totalling close to $40 million at the time of the attack. Of that, roughly $4.7 million was recovered. The net loss was in the region of $35 million.
STEP token damage: The token fell more than 60% in the hours following the breach announcement, then continued declining as recovery hopes faded. By the time the shutdown was confirmed on February 23, STEP had lost more than 97% of its pre-hack value, trading near $0.00057. Down from an all-time high of $10.20 in August 2021.[CoinDesk]
Platform losses: SolanaFloor closes as one of Solana’s most-read media outlets. Remora Markets shuts before reaching its potential as a tokenized real-world asset product. Users who relied on Step Finance daily to track positions across Solana DeFi now have to piece together alternatives.
How the Step Finance Hack Compares to Prior Solana Security Incidents
Placing the Step Finance hack in context against prior Solana incidents shows what has. And what has not changed in the ecosystem.
π Major Solana Security Incidents: Comparative View
| Incident | Date | Loss | Attack Type | Survived? |
|---|---|---|---|---|
| Wormhole Bridge | Feb 2022 | ~$320M | Smart contract exploit | Yes (Jump Trading covered) |
| Mango Markets | Oct 2022 | ~$116M | Oracle price manipulation | Partially (shut down Jan 2025) |
| Raydium | Dec 2022 | ~$4.4M | Trojan on pool manager device | Yes |
| Step Finance | Jan 2026 | ~$40M | Executive device compromise | No |
What makes the Step Finance outcome particularly sobering is the contrast with Wormhole and Mango. In both those cases, the platforms had institutional backing or community resources to absorb the damage. Step Finance had neither the balance sheet nor the institutional support. The hack was survivable for a larger protocol. For Step Finance, it was terminal.
Response, Recovery, and the Decision to Shut Down
Step Finance did not give up quickly. The team spent nearly four weeks trying to find a way to keep the platform alive, bringing in security professionals, working with partners to recover funds, and holding conversations with potential investors and acquirers. The STEP token’s collapse made fundraising nearly impossible.
“Following the hack at the end of January we explored every possible path forward, including financing and acquisition opportunities. Unfortunately, we were unable to secure a sustainable outcome and have made the difficult decision to end all operations effective immediately.”
– Step Finance, X statement, February 23, 2026
As reported by CoinTelegraph, crypto investor Mike Dudas said he was contacted about participating in a bridge round but requested a security post-mortem and received no response. Step Finance co-founder George Harrap said some parties had reached out about acquiring parts of the business, but the team was on a time crunch.
What STEP and Remora Token Holders Should Do After the Step Finance Hack
If you hold STEP tokens or Remora rTokens, here is what has been confirmed:
What the Crypto Industry Should Learn From the Step Finance Hack
The Step Finance hack is the latest in a clear pattern. Smart contract audits are table stakes now. The attack surface has shifted. The soft targets in 2025 and 2026 are the humans with the keys, the devices those humans use, and the operational practices that govern treasury access.
261,854 SOL moved because someone on the executive team had inadequate endpoint security. Not because Solana failed. Not because Step Finance’s smart contracts were buggy. Because a person with access to a treasury wallet was using a device that an attacker was able to compromise.
π Crypto Security Context: 2025 to 2026
Source: TRM Labs 2026 Crypto Crime Report | Chainalysis
π‘οΈ Critical Security Lessons
- Multi-signature treasury access: Treasury operations should require authorization from multiple independent keyholders, on hardware wallets, never on internet-connected devices
- Executive endpoint security: Devices with treasury access need endpoint detection software, strict software policies, and regular security audits
- Treasury compartmentalization: Funds should be diversified across multiple wallets so a single compromised account cannot drain the entire operating budget
- Insurance and emergency reserves: Projects should carry explicit coverage that can sustain operations through a breach
This is the same lesson the Bybit team learned in February 2025 at a cost of $1.46 billion, and the same pattern we documented in the Figure Technology data breach just weeks ago. The attack vector is consistent: compromise the person, not the protocol.
Frequently Asked Questions
Conclusion
Step Finance was genuinely useful. In a space crowded with projects that overpromise and underdeliver, a dashboard that millions of people used daily because it made their crypto lives easier is worth noting. Its loss is not just a number on a losses tracker.
The Step Finance hack cost $40 million and ended three platforms that were meaningful parts of the Solana ecosystem. The team is handling the wind-down responsibly with buybacks, redemptions, and an archive. That does not make the outcome less painful for people who held STEP or built products around the ecosystem Step Finance helped define.
What it does do is add another data point to an industry-wide lesson that is still not fully learned. Solana’s smart contracts are not the problem. The problem is the people holding the keys, the devices those people use, and the operational cultures that treat treasury security as an afterthought until the morning everything is gone.
This article will be updated as further details on the STEP buyback mechanics and Remora redemption process are confirmed. Follow official channels at @StepFinance_ on X for the latest updates.
π° More on CryptoNewsBytes
Sources: Step Finance (X) | Crypto.news | CoinDesk | CoinTelegraph | SC Media | TRM Labs
Disclaimer: This article is based on publicly available statements and on-chain data as of February 24, 2026. It does not constitute financial or investment advice. The forensic investigation into the Step Finance hack is ongoing and some details may be revised as further information becomes available.
