Step Finance Treasury Wallet Theft via Compromised Executive Devices
Step Finance, a Solana-based DeFi platform and analytics dashboard, reported a breach in which attackers compromised devices belonging to company executives and used that access to drain multiple treasury wallets. The incident was detected on January 31, with the threat actor described as leveraging a “well-known attack vector,” though Step Finance did not publicly disclose the specific technique or attribution.
Initial third-party estimates from blockchain analytics firm CertiK put the theft at 261,854 SOL (~$28.9M), but Step Finance’s internal investigation later assessed total losses at ~$40M. Step Finance said it has recovered ~$3.7M in Remora assets and ~$1M in other positions through partner coordination and Token22 protections, temporarily halted some operations to reinforce security, and stated that Remora Markets is isolated from the incident with rTokens remaining 1:1 backed; users were also advised not to engage with the STEP token until the investigation concludes.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Step Finance reports partial recovery and Remora isolation
Step Finance said it had recovered about $3.7 million in Remora assets and roughly $1 million in other positions through Token22 protections and partner coordination. It also stated that Remora Markets was isolated from the incident and that all rTokens remained fully backed 1:1.
Step Finance discloses total losses of about $40 million
Step Finance publicly said its internal investigation found the total losses were approximately $40 million, significantly higher than the initial blockchain-based estimate. The company attributed the incident to a compromised executive-device attack using a 'well-known attack vector,' without naming the attackers or specific method.
CertiK estimates initial theft at 261,854 SOL
Blockchain analytics firm CertiK reported that 261,854 SOL, worth about $28.9 million, had been illicitly withdrawn from Step Finance. This was the first public estimate of the scale of the theft.
Step Finance halts some operations and notifies authorities
After detecting the breach, Step Finance engaged cybersecurity researchers, notified authorities, and temporarily halted some operations to reinforce security. The company also warned users not to use STEP tokens until the investigation concludes.
Step Finance detects executive-device compromise and wallet breach
On 2026-01-31 during APAC hours, Step Finance detected a security incident in which attackers compromised devices used by company executives and gained unauthorized access to multiple treasury wallets. The breach led to a drain of platform-held digital assets and prompted an internal investigation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
$40 million worth of crypto stolen from Step Finance - hackers compromise executives’ devices to gain illicit access | Tom's Hardware
tomshardware.com
Open sourceStep Finance loses $40 million in executive device hack | SC Media
scworld.com
Open sourceStep Finance says compromised execs' devices led to $40M crypto theft
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Step Finance Shuts Down After $40M Treasury Theft
*Step Finance*, a Solana-based DeFi portfolio management platform, announced it is ceasing operations after a January 31 theft that drained roughly **$40 million** from its treasury and fee wallets. The company attributed the incident to the compromise of devices belonging to members of its executive team, and said subsequent efforts to recover—via fundraising, external liquidity, or acquisition talks—failed to produce a viable path forward. The shutdown impacts Step Finance and affiliated projects including **SolanaFloor** (which will stop publishing new content but keep an archive) and **Remora Markets** (reported as isolated from the breach). Step Finance said it is pursuing a **buyback/reimbursement process** for `STEP` holders based on a pre-hack snapshot and a redemption process for Remora token holders; it reported partial recoveries including about **$3.7M** in stolen Remora assets and about **$1M** in other coins.
Mar 21, 2026
Drift Protocol loses $280M after social-engineered multisig takeover
Drift Protocol, a Solana-based decentralized exchange, lost roughly **$270 million to $286 million** after attackers seized its Security Council administrative powers and drained core vaults, prompting the platform to suspend deposits and withdrawals and warn users not to add funds. Drift later said the theft was not caused by a smart contract bug or leaked seed phrases, but by a sophisticated operation that abused Solana **durable nonce** transactions and pre-signed multisig approvals to execute malicious governance changes later. Investigators and Drift said the attackers removed withdrawal limits, introduced a fake collateral asset called **`CVT`** or CarbonVote Token, manipulated controls, and rapidly moved assets out of borrow/lend products, vault deposits, and trading funds, cutting the protocol’s total value locked from about **$550 million** to below **$250 million** and sending the **DRIFT** token sharply lower. Subsequent post-mortems described the breach as the culmination of a **months-long social-engineering campaign** in which the threat actors posed as a legitimate quantitative trading firm, built trust through conferences, Telegram chats, integrations, and deposits, and likely compromised contributors through a malicious code repository and a trojanized TestFlight wallet app. Blockchain intelligence firms including **Elliptic** and **TRM Labs** said the laundering patterns, cross-chain bridging from Solana to Ethereum, use of **Tornado Cash**, and other indicators were consistent with **North Korean** tradecraft, while Drift linked the operation with medium confidence to **UNC4736 / AppleJeus / Citrine Sleet**. The fallout widened beyond Drift as critics questioned why more than **$230 million in USDC** moved through Circle’s CCTP bridge without being frozen, Solana launched new security initiatives, and Drift later secured recovery backing including up to **$127.5 million from Tether** as it worked with security firms, exchanges, bridges, and law enforcement to trace and recover funds.
Jun 8, 2026
Drift Protocol exploit drained $280M after months-long social engineering campaign
Drift Protocol, a Solana-based decentralized trading platform, said attackers stole about **$280 million to $285 million** after a months-long intrusion culminated in the takeover of administrative control and the draining of protocol vaults in roughly 12 minutes. Drift’s preliminary findings said the operation abused Solana’s **durable nonce** feature and pre-signed transactions rather than a simple smart contract flaw, while investigators reported that the attackers staged activity weeks in advance, created a fake asset called **CarbonVote Token (`CVT`)**, and manipulated its trading history so protocol oracles would accept it as collateral. The stolen assets were then swapped largely into **USDC** and **SOL**, bridged to Ethereum through Circle’s Cross-Chain Transfer Protocol, and moved onward through additional services and exchanges.
May 25, 2026