Audit log

Every state-changing event for Step Finance Treasury Theft (January 2026): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-14 14:43:13Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 426,436,829

   sig

   57rWSzkYi7Mw…kZZkMeLrcopyexplorer ↗

   hash

   6FzZQUpv8pSX…Xnv4GwaLcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (19150 B) ▸

   {"actor":"system:backfill","investigation_id":"662ba4ff-48a3-442d-a08f-d4b84a14e8c4","kind":"publish","page_slug":"step-finance-treasury-theft-january-2026","published_at":"2026-06-14T14:43:13.730Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Step Finance Treasury Theft (January 2026)","sections":[{"content":"Step Finance confirmed on January 31, 2026 that several of its treasury wallets were compromised during APAC trading hours. The attacker drained approximately 261,854 SOL — valued at roughly $27.3 million USD at the time of the theft — from the protocol's treasury and fee-collection wallets. The platform described the perpetrator as \"a sophisticated actor\" and characterized the attack vector as \"a well-known attack vector,\" though the team did not immediately specify the exact method in its initial public disclosure. Some security researchers and post-incident analyses assessed total losses as high as $40 million when accounting for all affected assets across treasury and affiliated protocol wallets.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":1,"name":"Solana DeFi platform Step Finance hit by $27 million treasury hack as token price craters — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/01/31/solana-based-defi-platform-step-finance-hit-by-usd30-million-treasury-hack-as-token-price-craters"},{"credibility":2,"name":"Step Finance treasury wallets breached, $27M in SOL drained as STEP crashes 90% — TradingView / CoinTelegraph","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:f91785969094b:0-step-finance-treasury-wallets-breached-27m-in-sol-drained-as-step-crashes-90/"},{"credibility":2,"name":"Explained: The Step Finance Hack (January 2026) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-step-finance-hack-january-2026"}]},{"content":"Step Finance confirmed on approximately February 2, 2026 that the breach stemmed from the compromise of executive team members' devices. Attackers are alleged to have obtained access through phishing or social engineering techniques, enabling the installation of malware or the direct exfiltration of private keys. This gave the attacker direct control over the cryptographic material needed to authorize staking and withdrawal operations on behalf of the protocol. The breach did not involve any smart contract vulnerability; it was entirely an off-chain operational security failure. The attacker used the stolen credentials to change the staker authority and withdrawer authority on the protocol's staked SOL positions, reassigning those permissions to attacker-controlled wallets before executing the unstake and withdrawal sequence.","heading":"Attack Vector: Executive Device Compromise","severity":"critical","sources":[{"credibility":2,"name":"Step Finance says compromised execs' devices led to $40M crypto theft — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/step-finance-says-compromised-execs-devices-led-to-40m-crypto-theft/"},{"credibility":2,"name":"$40 million worth of crypto stolen from Step Finance — hackers compromise executives' devices — Tom's Hardware","type":"news_article","url":"https://www.tomshardware.com/tech-industry/cyber-security/usd40-million-worth-of-crypto-stolen-from-step-finance-hackers-compromise-executives-devices-to-gain-illicit-access"},{"credibility":3,"name":"Step Finance drained: $40 million worth of crypto stolen in executive device heist — TechNewsHub","type":"news_article","url":"https://www.technewshub.co.uk/post/step-finance-drained-40-million-worth-of-crypto-stolen-in-executive-device-heist"},{"credibility":2,"name":"Explained: The Step Finance Hack (January 2026) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-step-finance-hack-january-2026"}]},{"content":"Blockchain security firm CertiK flagged the unusual movement of staked SOL in real time. On-chain analysis identified the primary attacker authorization wallet as LEP1uHXcWbFEPwQgkeFzdhW2ykgZY6e9Dz8Yro6SdNu, and a secondary wallet at 7raxiejD8hDUH1wyYWFDPrEuHiLUjJ4RiZi2z1u2udNh. The attacker modified the staker authority and withdrawer authority of Step Finance's stake accounts to these wallets, a prerequisite step on Solana for unstaking and withdrawing delegated SOL. Two key on-chain transactions have been identified in post-incident analyses: the unstaking transaction (signature: 5EeXqPQci3ZnbFGWPJf622cLqLGnMuNcAr1rDGCizKRFt9owawCzovNpBC4xNh7A4a5p7Qkvsg8nPaYmw3MiYCvF) and the main withdrawal of 261,932 SOL (signature: 4Ly35PsVTBNPVibpDRww6FC43pU5Tuw6UtaKECzcLKXtWTPyyvw1dw8LoNRLBDMgQUP81nN69mhiAEDJvzL8X317). The stolen SOL was transferred to unknown external addresses. The attacker identity has not been publicly confirmed by law enforcement as of the investigation date.","heading":"On-Chain Forensics","severity":"critical","sources":[{"credibility":2,"name":"Step Finance Rekt — Rekt News","type":"research","url":"https://rekt.news/step-finance-rekt"},{"credibility":3,"name":"Step Finance Hack: $27M SOL Stolen, STEP Crashes 93% — Bitcoin Ethereum News","type":"news_article","url":"https://bitcoinethereumnews.com/tech/step-finance-hack-27m-sol-stolen-step-crashes-93/"},{"credibility":2,"name":"Step Finance treasury wallets breached — TradingView / CoinTelegraph","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:f91785969094b:0-step-finance-treasury-wallets-breached-27m-in-sol-drained-as-step-crashes-90/"}]},{"content":"The STEP governance token experienced an immediate and severe collapse following the public disclosure of the breach. The token declined approximately 93% within a single trading day, falling from roughly $0.023 to $0.001578. After the February 24, 2026 shutdown announcement, STEP fell an additional 34–36% within 24 hours, trading at approximately $0.0006013. Over the full arc of the incident, STEP lost approximately 96% of its value from pre-hack levels. The token's collapse reflected the market's assessment that there was no viable path to recovery for the protocol.","heading":"Market Impact: STEP Token Collapse","severity":"high","sources":[{"credibility":2,"name":"Step Finance treasury wallets breached, $27M in SOL drained as STEP crashes 90% — CoinTelegraph via TradingView","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:f91785969094b:0-step-finance-treasury-wallets-breached-27m-in-sol-drained-as-step-crashes-90/"},{"credibility":1,"name":"Step Finance shuts operations after $27 million January hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/02/24/step-finance-shuts-operations-after-usd27-million-january-hack"},{"credibility":3,"name":"Step Finance Shuts Down After $27M Hack, Dealing Blow to Solana DeFi — CoinAlertNews","type":"news_article","url":"https://coinalertnews.com/news/2026/02/24/step-finance-shutdown-solana-hack"}]},{"content":"On February 24, 2026, Step Finance announced the permanent cessation of all operations. Co-founder George Harrap described the decision as \"a difficult day\" and stated that his immediate priority was finding roles for the team. The official statement noted: \"Following the hack at the end of January we explored every possible path forward, including financing and acquisition opportunities. Unfortunately, we were unable to secure a viable outcome and have made the difficult decision to end all operations effective immediately.\" In addition to the core Step Finance portfolio platform, two affiliated projects also shut down: SolanaFloor, a Solana-focused media and NFT analytics outlet, and Remora Markets, a tokenization and lending platform. At the time of the shutdown, Step Finance had served an estimated 300,000–350,000 monthly active users and aggregated data from approximately 95% of Solana protocols.","heading":"Platform Shutdown and Affiliated Projects","severity":"high","sources":[{"credibility":1,"name":"Step Finance shuts operations after $27 million January hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/02/24/step-finance-shuts-operations-after-usd27-million-january-hack"},{"credibility":1,"name":"Crypto platform Step Finance shutting down after $40 million theft — The Record (Recorded Future)","type":"news_article","url":"https://therecord.media/step-finance-cryptocurrency-theft-shutdown"},{"credibility":3,"name":"Step Finance Shuts Down After $40M January Hack — Techloy","type":"news_article","url":"https://www.techloy.com/step-finance-shuts-down-after-40m-january-hack/"}]},{"content":"Step Finance reported recovering approximately $4.7 million in assets through Token22 protections and Remora-related holdings. The team announced a buyback program for holders of the native STEP token based on a pre-hack snapshot of holdings and valuations, though this program covers only a fraction of the total loss. A separate redemption process was established for holders of Remora tokens. The Recorded Future News report noted that approximately $3.7 million in Remora assets and $1 million in other coins were recovered. The buyback program was not expected to make holders whole, given that the primary treasury loss of 261,854 SOL remained unrecovered.","heading":"Recovery Efforts and User Reimbursement","severity":"medium","sources":[{"credibility":1,"name":"Crypto platform Step Finance shutting down after $40 million theft — The Record (Recorded Future)","type":"news_article","url":"https://therecord.media/step-finance-cryptocurrency-theft-shutdown"},{"credibility":3,"name":"STEP Holders Get Buyback as Solana Projects Shut Down — CoinFomania","type":"news_article","url":"https://coinfomania.com/step-holders-get-buyback-as-solana-projects-shut-down/"},{"credibility":3,"name":"Step Finance Hack: A $27M Liquidity Drain and Token Collapse — Ainvest","type":"news_article","url":"https://www.ainvest.com/news/step-finance-hack-27m-liquidity-drain-token-collapse-2602/"}]},{"content":"Step Finance was a Solana-based DeFi portfolio tracker and analytics platform founded in 2021 by George Harrap, originating from a Solana hackathon in February 2021. The platform began as a dollar-cost averaging (DCA) contract before pivoting to become a comprehensive portfolio management dashboard, eventually covering approximately 95% of Solana protocols. Step Finance expanded through acquisitions into NFT analytics (SolanaFloor) and real-world asset tokenization (Remora Markets). The protocol operated a Solana validator node and used validator earnings to fund STEP token buybacks, creating a link between treasury health and token economics. Prior to the January 2026 incident, Step Finance reported up to 350,000 monthly active users.","heading":"Background: Step Finance","severity":"low","sources":[{"credibility":2,"name":"Step Finance on Solana: Project Review, Programs, Token, Metrics — Solana Compass","type":"other","url":"https://solanacompass.com/projects/step-finance"},{"credibility":2,"name":"George Harrap — Co-Founder of Step Finance — Crunchbase","type":"other","url":"https://www.crunchbase.com/person/george-harrap-e876"},{"credibility":1,"name":"Solana DeFi platform Step Finance hit by $27 million treasury hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/01/31/solana-based-defi-platform-step-finance-hit-by-usd30-million-treasury-hack-as-token-price-craters"}]},{"content":"The Step Finance incident occurred during a broader wave of DeFi security incidents in January 2026. Total crypto theft for the month of January 2026 was reported at nearly $400 million across multiple platforms. Step Finance was cited alongside incidents at Drift Protocol and Rhea Finance as among the largest hacks of the period in the 2026 DeFi exploit landscape. The Step Finance theft was notable for being an operational security failure rather than a smart contract exploit, illustrating that private key and endpoint security remain a significant attack surface even for established protocols.","heading":"Broader Context: January 2026 DeFi Hack Wave","severity":"medium","sources":[{"credibility":2,"name":"Crypto Theft Hit Nearly $400 Million in January 2026 — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/news/crypto-theft-hit-nearly-400-180626234.html"},{"credibility":2,"name":"400M+ Lost to DeFi Exploits in 2026 — Drift Protocol, Rhea Finance, Step Finance Among Biggest Hacks — CCN","type":"news_article","url":"https://www.ccn.com/education/crypto/defi-hacks-2026-137m-lost-step-finance-truebit-resolv-exploits/"}]}],"sources_used":[{"credibility":1,"name":"Solana DeFi platform Step Finance hit by $27 million treasury hack as token price craters — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/01/31/solana-based-defi-platform-step-finance-hit-by-usd30-million-treasury-hack-as-token-price-craters"},{"credibility":1,"name":"Step Finance shuts operations after $27 million January hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/02/24/step-finance-shuts-operations-after-usd27-million-january-hack"},{"credibility":1,"name":"Crypto platform Step Finance shutting down after $40 million theft — The Record (Recorded Future News)","type":"news_article","url":"https://therecord.media/step-finance-cryptocurrency-theft-shutdown"},{"credibility":2,"name":"Step Finance says compromised execs' devices led to $40M crypto theft — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/step-finance-says-compromised-execs-devices-led-to-40m-crypto-theft/"},{"credibility":2,"name":"Explained: The Step Finance Hack (January 2026) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-step-finance-hack-january-2026"},{"credibility":2,"name":"Step Finance Rekt — Rekt News","type":"research","url":"https://rekt.news/step-finance-rekt"},{"credibility":2,"name":"Step Finance treasury wallets breached, $27M in SOL drained as STEP crashes 90% — CoinTelegraph via TradingView","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:f91785969094b:0-step-finance-treasury-wallets-breached-27m-in-sol-drained-as-step-crashes-90/"},{"credibility":2,"name":"$30M Stolen as Step Finance Treasury Wallets Compromised — CryptoNews via Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/news/30m-stolen-step-finance-treasury-082939652.html"},{"credibility":2,"name":"400M+ Lost to DeFi Exploits in 2026 — CCN","type":"news_article","url":"https://www.ccn.com/education/crypto/defi-hacks-2026-137m-lost-step-finance-truebit-resolv-exploits/"},{"credibility":2,"name":"Crypto Theft Hit Nearly $400 Million in January 2026 — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/news/crypto-theft-hit-nearly-400-180626234.html"},{"credibility":2,"name":"$40 million worth of crypto stolen from Step Finance — Tom's Hardware","type":"news_article","url":"https://www.tomshardware.com/tech-industry/cyber-security/usd40-million-worth-of-crypto-stolen-from-step-finance-hackers-compromise-executives-devices-to-gain-illicit-access"},{"credibility":2,"name":"Step Finance on Solana: Project Review — Solana Compass","type":"other","url":"https://solanacompass.com/projects/step-finance"},{"credibility":2,"name":"George Harrap — Co-Founder of Step Finance — Crunchbase","type":"other","url":"https://www.crunchbase.com/person/george-harrap-e876"},{"credibility":3,"name":"STEP Holders Get Buyback as Solana Projects Shut Down — CoinFomania","type":"news_article","url":"https://coinfomania.com/step-holders-get-buyback-as-solana-projects-shut-down/"},{"credibility":3,"name":"Step Finance Treasury Breach: A Case Study in Operational Security Failure — Cryip","type":"other","url":"https://cryip.co/step-finance-treasury-breach/"}],"summary":"On January 31, 2026, Step Finance, a Solana-based portfolio tracking and DeFi analytics platform, suffered a treasury theft in which an attacker drained approximately 261,854 SOL (valued at roughly $27.3 million at the time) after compromising executive team devices and seizing staking authority over protocol wallets. The incident led to a 93% collapse in the STEP governance token price and ultimately forced the permanent shutdown of Step Finance and its affiliated projects SolanaFloor and Remora Markets by February 24, 2026.","timeline":[{"date":"2021-02-01","event":"Step Finance founded, originating from a Solana hackathon; initially a DCA contract before pivoting to a portfolio tracker.","source":"Solana Compass","source_url":"https://solanacompass.com/projects/step-finance"},{"date":"2026-01-31","event":"Attacker compromises executive team devices, seizes staker and withdrawer authority over Step Finance's staked SOL positions, unstakes and drains approximately 261,854 SOL (~$27.3M) from treasury wallets during APAC trading hours.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/01/31/solana-based-defi-platform-step-finance-hit-by-usd30-million-treasury-hack-as-token-price-craters"},{"date":"2026-01-31","event":"Step Finance discloses breach publicly on X (formerly Twitter), describes it as a compromise of 'several treasury wallets' by 'a sophisticated actor.' STEP token crashes approximately 93% within 24 hours.","source":"CoinTelegraph via TradingView","source_url":"https://www.tradingview.com/news/cointelegraph:f91785969094b:0-step-finance-treasury-wallets-breached-27m-in-sol-drained-as-step-crashes-90/"},{"date":"2026-01-31","event":"CertiK confirms on-chain that 261,854 SOL was unstaked and transferred from Step Finance-controlled wallets to attacker-controlled addresses.","source":"Rekt News","source_url":"https://rekt.news/step-finance-rekt"},{"date":"2026-02-02","event":"Step Finance confirms that the breach originated from the compromise of executive team members' devices.","source":"Rekt News / Halborn Security","source_url":"https://www.halborn.com/blog/post/explained-the-step-finance-hack-january-2026"},{"date":"2026-02-24","event":"Step Finance announces permanent shutdown of all operations, citing inability to secure financing or acquisition after exhausting all strategic alternatives. SolanaFloor and Remora Markets also cease operations. STEP token falls an additional 34-36% on the announcement.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/02/24/step-finance-shuts-operations-after-usd27-million-january-hack"},{"date":"2026-02-24","event":"Co-founder George Harrap states the shutdown is 'a difficult day' and prioritizes finding roles for team members. Step Finance announces a STEP token buyback program based on a pre-hack snapshot, and a separate Remora token redemption process. Approximately $4.7M in assets recovered through Token22 and Remora holdings.","source":"The Record (Recorded Future News)","source_url":"https://therecord.media/step-finance-cryptocurrency-theft-shutdown"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 65741ba6-7484-4821-90ab-e03e6e73269ecopy