Step Finance Shuts Down After $40M Treasury Theft
Step Finance, a Solana-based DeFi portfolio management platform, announced it is ceasing operations after a January 31 theft that drained roughly $40 million from its treasury and fee wallets. The company attributed the incident to the compromise of devices belonging to members of its executive team, and said subsequent efforts to recover—via fundraising, external liquidity, or acquisition talks—failed to produce a viable path forward.
The shutdown impacts Step Finance and affiliated projects including SolanaFloor (which will stop publishing new content but keep an archive) and Remora Markets (reported as isolated from the breach). Step Finance said it is pursuing a buyback/reimbursement process for STEP holders based on a pre-hack snapshot and a redemption process for Remora token holders; it reported partial recoveries including about $3.7M in stolen Remora assets and about $1M in other coins.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Step Finance outlines token holder reimbursement plans
Alongside the shutdown announcement, Step Finance said it would pursue a buyback program for STEP coin holders and a redemption process for Remora token holders. The company said reimbursements would use a pre-theft snapshot to support affected holders.
Step Finance announces immediate shutdown
Step Finance announced it would cease operations immediately after failing to secure financing or find an acquisition path following the January 31 theft. The company also said associated projects SolanaFloor and Remora Markets would shut down.
Step Finance recovers part of stolen assets
Following the theft, Step Finance reported recovering about $3.7 million in stolen Remora assets and roughly $1 million in other coins. The partial recovery was disclosed as part of the company’s response to the January attack.
Step Finance suffers $40 million theft after device compromise
On January 31, Step Finance said executive team members’ devices were compromised, leading to the theft of roughly $40 million from the company’s treasury and fee wallets. The incident affected the Solana-based platform’s finances and triggered its subsequent crisis response.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Cryptohack Roundup: Step Finance Shuts Down After Exploit
govinfosecurity.com
Open sourceCryptohack Roundup: Step Finance Shuts Down After Exploit
bankinfosecurity.com
Open sourceCrypto platform Step Finance shutting down after $40 million theft | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Step Finance Treasury Wallet Theft via Compromised Executive Devices
**Step Finance**, a Solana-based DeFi platform and analytics dashboard, reported a breach in which attackers **compromised devices belonging to company executives** and used that access to drain multiple **treasury wallets**. The incident was detected on **January 31**, with the threat actor described as leveraging a **“well-known attack vector,”** though Step Finance did not publicly disclose the specific technique or attribution. Initial third-party estimates from blockchain analytics firm **CertiK** put the theft at **261,854 SOL (~$28.9M)**, but Step Finance’s internal investigation later assessed total losses at **~$40M**. Step Finance said it has recovered **~$3.7M in Remora assets** and **~$1M in other positions** through partner coordination and **Token22 protections**, temporarily halted some operations to reinforce security, and stated that **Remora Markets is isolated** from the incident with **rTokens remaining 1:1 backed**; users were also advised **not to engage with the `STEP` token** until the investigation concludes.
Mar 21, 2026
Drift Protocol loses $280M after social-engineered multisig takeover
Drift Protocol, a Solana-based decentralized exchange, lost roughly **$270 million to $286 million** after attackers seized its Security Council administrative powers and drained core vaults, prompting the platform to suspend deposits and withdrawals and warn users not to add funds. Drift later said the theft was not caused by a smart contract bug or leaked seed phrases, but by a sophisticated operation that abused Solana **durable nonce** transactions and pre-signed multisig approvals to execute malicious governance changes later. Investigators and Drift said the attackers removed withdrawal limits, introduced a fake collateral asset called **`CVT`** or CarbonVote Token, manipulated controls, and rapidly moved assets out of borrow/lend products, vault deposits, and trading funds, cutting the protocol’s total value locked from about **$550 million** to below **$250 million** and sending the **DRIFT** token sharply lower. Subsequent post-mortems described the breach as the culmination of a **months-long social-engineering campaign** in which the threat actors posed as a legitimate quantitative trading firm, built trust through conferences, Telegram chats, integrations, and deposits, and likely compromised contributors through a malicious code repository and a trojanized TestFlight wallet app. Blockchain intelligence firms including **Elliptic** and **TRM Labs** said the laundering patterns, cross-chain bridging from Solana to Ethereum, use of **Tornado Cash**, and other indicators were consistent with **North Korean** tradecraft, while Drift linked the operation with medium confidence to **UNC4736 / AppleJeus / Citrine Sleet**. The fallout widened beyond Drift as critics questioned why more than **$230 million in USDC** moved through Circle’s CCTP bridge without being frozen, Solana launched new security initiatives, and Drift later secured recovery backing including up to **$127.5 million from Tether** as it worked with security firms, exchanges, bridges, and law enforcement to trace and recover funds.
Jun 8, 2026
Drift Protocol exploit drained $280M after months-long social engineering campaign
Drift Protocol, a Solana-based decentralized trading platform, said attackers stole about **$280 million to $285 million** after a months-long intrusion culminated in the takeover of administrative control and the draining of protocol vaults in roughly 12 minutes. Drift’s preliminary findings said the operation abused Solana’s **durable nonce** feature and pre-signed transactions rather than a simple smart contract flaw, while investigators reported that the attackers staged activity weeks in advance, created a fake asset called **CarbonVote Token (`CVT`)**, and manipulated its trading history so protocol oracles would accept it as collateral. The stolen assets were then swapped largely into **USDC** and **SOL**, bridged to Ethereum through Circle’s Cross-Chain Transfer Protocol, and moved onward through additional services and exchanges.
May 25, 2026