Step Finance drained: $40 million worth of crypto stolen in "executive device" heist

Solana’s largest portfolio manager suffers breach; hackers exploit off-chain weakness to bypass smart contract security.

Decentralized Finance (DeFi) platform, Step Finance, has confirmed the theft of approximately $40 million in digital assets. The heist, detected on January 31, 2026, did not target the platform's code but rather the human element - attackers successfully compromised the physical devices of the company’s executive team to gain control over high-value treasury wallets.

The incident triggered a massive sell-off, causing the platform's native STEP token to plummet by over 80% within hours of the disclosure.

The attack: A "well-known" Vector

Security researchers at CertiK and Halborn indicate that the hackers utilized a sophisticated "off-chain" strategy. Rather than hunting for bugs in Step’s smart contracts, they targeted the signing infrastructure used by the platform’s leadership.

Attackers first gained unauthorized access to the personal devices of Step Finance executives. It is believed this was achieved through a targeted phishing or social engineering campaign that allowed the installation of specialized malware.

Once inside the devices, the hackers bypassed multi-signature protections to unstake 261,854 SOL (worth roughly $29 million at the time) and drain various other treasury assets, bringing the total loss to approximately $40 million.

On-chain data shows the stolen SOL was immediately bridged and swapped for Monero (XMR) via instant exchanges to obscure the money trail before it could be frozen by centralized platforms.

Emergency recovery and "Token22" protections

Step Finance has spent the last week in "remediation mode," working with external cybersecurity specialists and federal authorities to recover what remains.

The team has successfully recovered approximately $4.7 million in "Remora" assets and other positions, thanks in part to new Token22 standard protections that allowed for more granular control over specific asset classes during the emergency.

Step Finance has also filed formal reports with the FBI, providing them with the "digital fingerprints" left behind during the device compromises.

Status of user funds

The project has emphasized that while the Treasury was hit hard, individual user wallets remained unaffected. The hackers only gained access to the project's own reserves and fee-collection wallets.

The "wrench attack" warning

The Step Finance breach coincides with a sobering report from CertiK regarding a surge in "physical" and "endpoint" security threats.

The firm’s "Skynet Wrench Attacks Report" notes that as smart contract audits become more robust, hackers are shifting their focus to private key coercion and endpoint malware. In January 2026 alone, the industry saw over $370 million lost to exploits, with the vast majority (over $311 million) attributed to phishing and social engineering rather than code vulnerabilities.

"This incident underscores the critical need for 'Cold Storage' for project treasuries," noted a lead researcher at Halborn. "Relying on 'hot' devices for high-value signing, even with multi-sig, is proving to be a single point of failure in the modern threat landscape."