In a significant security breach that has sent ripples through the decentralized finance (DeFi) space, Step Finance, a prominent analytics and portfolio management platform built on the Solana blockchain, confirmed that it lost approximately $40 million worth of digital assets after attackers gained access through compromised devices belonging to members of its executive team.

What Happened?

On January 31, 2026, the Step Finance team detected unusual activity involving transfers from several of its treasury wallets. Initial analysis revealed that threat actors had managed to breach multiple administrative systems after compromising devices used by high-level company personnel.

Unlike common smart contract exploits or on-chain vulnerabilities, this attack originated at the human and operational level — specifically, through endpoint devices with privileged access. This type of breach highlights a growing trend in cryptocurrency thefts, where attackers target people and systems outside of core protocol code.

Scale of the Loss and Recovery Efforts

Step Finance reported that roughly $40 million in assets were stolen in total. This figure is based on the platform’s ongoing accounting and forensic analysis, which updated earlier estimates tied to on-chain movements.

Despite the severity of the incident, coordinated efforts with cybersecurity specialists and partner platforms have resulted in partial recoveries. According to public statements, about $3.7 million in Remora-related assets and roughly $1 million in other positions have been reclaimed through remediation safeguards and partner intervention.
Step Finance also worked promptly with law enforcement agencies and external researchers to investigate the breach and trace stolen funds.

Operational Response and Ongoing Security Measures

Following the breach, Step Finance temporarily paused certain operations as a precaution and initiated a comprehensive security review. The platform clarified that Remora Markets — a key component of its ecosystem — was not directly affected by the incident and that custodial rTokens remain fully backed on a 1:1 basis.

To protect users and stabilize the ecosystem, Step Finance advised all users to refrain from interacting with the native STEP token until the investigation is complete and all security enhancements are deployed. The team also stated its intention to take a system snapshot from before the exploit, which could serve as a foundation for restitution strategies for impacted holders.

Broader Impact on Solana and DeFi Security

As one of the most widely adopted dashboards for Solana users to visualize and manage their assets, Step Finance occupies a central position in the network’s DeFi infrastructure. The breach has underscored the importance of robust endpoint and executive security practices, especially for teams managing large pools of assets or privileged controls.

Industry analysts note that this type of human-targeted attack represents an evolving threat vector — one where attackers are bypassing traditional smart contract defenses and instead focusing on corporate systems, devices, and personnel to achieve their aims.

Looking Ahead

Investigations are still underway to determine how the attackers initially accessed the executive devices and which specific techniques they employed. Until those details are fully disclosed, the incident will serve as a stark reminder that DeFi security extends beyond blockchain code to include governance, personnel practices, and comprehensive device security.

Step Finance has pledged to continue updating the community as new information emerges and as recovery and reinforcement efforts progress.