Verify a decision

{"actor":"system:backfill","investigation_id":"417302cd-7090-4909-8dce-29c2cea72ba9","kind":"publish","page_slug":"step-finance-hack-shutdown-2026","published_at":"2026-06-23T23:30:18.069Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Step Finance Hack and Shutdown","sections":[{"content":"Step Finance launched in early 2021 following a Solana hackathon and positioned itself as the primary portfolio management and DeFi aggregation dashboard for the Solana ecosystem. The platform allowed users to visualize, analyze, and execute transactions across multiple Solana protocols from a single interface. In April 2021, Step Finance raised $2 million in a seed round led by Alameda Research, with participation from 3 Commas Capital, Raydium, One Block, and Solidity Ventures. Co-founder George Harrap, a long-time crypto entrepreneur with roots in Bitcoin mining since 2011 and a prior crypto remittance venture, led the project. Over time, Step Finance expanded beyond portfolio tracking through strategic acquisitions: SolanaFloor (an NFT analytics and media outlet focused on the Solana ecosystem) and Remora Markets (a tokenized RWA and lending protocol). At its peak, the platform reported over 350,000 monthly active users and the STEP governance token reached an all-time high of approximately $10.20 in August 2021.","heading":"Background: Step Finance and the Solana Ecosystem","severity":"low","sources":[{"credibility":1,"name":"CoinDesk: Step Finance Raises $2M From Alameda Research, 3 Commas","type":"news_article","url":"https://www.coindesk.com/business/2021/04/13/solana-dashboard-step-finance-raises-2m-from-alameda-research-3-commas"},{"credibility":2,"name":"The Defiant: Step Finance Raises $2M in Round Led by Alameda Research","type":"news_article","url":"https://thedefiant.io/news/defi/step-finance-raises-2m-in-round-led-by-alameda-research"},{"credibility":1,"name":"CoinTelegraph: Step Finance, SolanaFloor, Remora Markets Wind Down Operations","type":"news_article","url":"https://cointelegraph.com/news/step-finance-solanafloor-remora-markets-wind-down-operations"}]},{"content":"On January 31, 2026, during APAC trading hours, attackers gained unauthorized access to multiple Step Finance treasury and fee wallets by compromising devices belonging to members of the executive team. This was not a smart contract exploit or flash loan attack — the root cause was an operational security failure in which private keys were exposed through compromised executive hardware, allegedly via social engineering or targeted malware. The attackers transferred stake authorization for the treasury SOL to a fresh wallet address (LEP1uHXcWbFEPwQgkeFzdhW2ykgZY6e9Dz8Yro6SdNu), which enabled the unstaking and subsequent withdrawal of SOL from Step Finance's accounts without triggering smart-contract-level defenses. Key on-chain transactions identified by blockchain security firm CertiK and on-chain analysts include the unstaking transaction (hash: 5EeXqPQci3ZnbFGWPJf622cLqLGnMuNcAr1rDGCizKRFt9owawCzovNpBC4xNh7A4a5p7Qkvsg8nPaYmw3MiYCvF) and the withdrawal of 261,932 SOL (hash: 4Ly35PsVTBNPVibpDRww6FC43pU5Tuw6UtaKECzcLKXtWTPyyvw1dw8LoNRLBDMgQUP81nN69mhiAEDJvzL8X317). A secondary wallet address (7raxiejD8hDUH1wyYWFDPrEuHiLUjJ4RiZi2z1u2udNh) was also identified as part of the operation. Stolen funds remained visible on-chain initially without immediate bridge transfers or mixing service usage. Security analysts noted the attack exemplified a broader industry pattern: private key compromises accounted for the majority of DeFi losses in early 2026, and audited smart contracts provide no protection against operational security failures at the human layer. Step Finance confirmed on February 2, 2026, that the root cause was executive device compromise, and described it as a well-known attack vector executed by a sophisticated actor.","heading":"The January 2026 Hack: Attack Vector and Technical Details","severity":"critical","sources":[{"credibility":2,"name":"Rekt News: Step Finance Rekt","type":"research","url":"https://rekt.news/step-finance-rekt"},{"credibility":1,"name":"CoinDesk: Solana DeFi Platform Step Finance Hit by $30 Million Treasury Hack","type":"news_article","url":"https://www.coindesk.com/business/2026/01/31/solana-based-defi-platform-step-finance-hit-by-usd30-million-treasury-hack-as-token-price-craters"},{"credibility":2,"name":"Halborn: Explained — The Step Finance Hack (January 2026)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-step-finance-hack-january-2026"},{"credibility":2,"name":"Tom's Hardware: $40 Million Stolen From Step Finance After Executive Device Compromise","type":"news_article","url":"https://www.tomshardware.com/tech-industry/cyber-security/usd40-million-worth-of-crypto-stolen-from-step-finance-hackers-compromise-executives-devices-to-gain-illicit-access"}]},{"content":"The total losses attributed to the January 2026 breach vary across reporting sources, reflecting different methodologies for calculating asset values at time of theft. CertiK and on-chain analysts initially identified 261,854–261,932 SOL removed from Step Finance wallets, valued at approximately $27–29 million at the SOL price prevailing on January 31, 2026. Step Finance's internal review subsequently reported total losses nearing $40 million across all affected assets, suggesting that additional assets beyond SOL — including tokens held in fee wallets — were also drained but received less on-chain coverage. Crowdfund Insider and The Record from Recorded Future News reported the $40 million figure. CoinDesk's initial reporting cited approximately $27–30 million. The discrepancy likely reflects the difference between SOL alone and the full basket of assets across treasury and fee wallets. Step Finance disclosed that approximately $4.7 million was recovered through Token22 protections on Remora Markets assets and other holdings, reducing net losses but leaving the platform non-viable.","heading":"Financial Losses and Discrepancies in Reported Figures","severity":"critical","sources":[{"credibility":1,"name":"CoinDesk: Step Finance Shuts Operations After $27 Million January Hack","type":"news_article","url":"https://www.coindesk.com/business/2026/02/24/step-finance-shuts-operations-after-usd27-million-january-hack"},{"credibility":2,"name":"Crowdfund Insider: Step Finance Ceases Operations Following $40 Million Security Incident","type":"news_article","url":"https://www.crowdfundinsider.com/2026/02/263817-step-finance-ceases-operations-following-40-million-security-incident/"},{"credibility":1,"name":"The Record from Recorded Future News: Step Finance Shutting Down After $40 Million Theft","type":"news_article","url":"https://therecord.media/step-finance-cryptocurrency-theft-shutdown"},{"credibility":1,"name":"The Block: Step Finance Shuts Down","type":"news_article","url":"https://www.theblock.co/post/390964/step-finance-shuts-down"}]},{"content":"The STEP governance token, already in a prolonged bear market from its April/August 2021 peaks near $10.20, collapsed catastrophically following the January 31 breach. Within 24 hours of the hack disclosure, STEP fell approximately 80–93% from pre-incident levels, trading as low as $0.001578 against a pre-hack price of approximately $0.023. When Step Finance announced permanent closure on February 24, 2026, the token declined a further 36–37%, with cumulative losses from pre-incident levels reaching approximately 96–97%. Kraken subsequently announced a three-phase delisting of STEP: trading and deposits disabled March 20, 2026; withdrawal support disabled June 19, 2026 (non-EEA); and remaining balances liquidated and converted to ETH at weighted market pricing on June 29, 2026. Kraken explicitly warned users that the STEP network could shut down at any time before those dates, potentially preventing recovery of remaining balances.","heading":"STEP Token Collapse","severity":"high","sources":[{"credibility":1,"name":"Kraken Support: Step Finance (STEP) Delisting","type":"official","url":"https://support.kraken.com/articles/step-delisting"},{"credibility":2,"name":"BitDegree: Step Finance Breach Drains $27 Million in SOL, STEP Token Tanks 90%","type":"news_article","url":"https://www.bitdegree.org/crypto/news/step-finance-breach-drains-27-million-in-sol-step-token-tanks-90"},{"credibility":2,"name":"Rekt News: Step Finance Rekt","type":"research","url":"https://rekt.news/step-finance-rekt"}]},{"content":"On February 24, 2026, Step Finance announced immediate closure of all operations. The announcement stated the team had \"explored every possible path forward, including financing and acquisition opportunities\" but was \"unable to secure a viable outcome.\" Co-founder George Harrap publicly described the day as difficult and noted that his immediate priority was \"finding good roles for our excellent team,\" while acknowledging that some parties had expressed interest in acquiring parts of the business but that the company was operating under significant time pressure. The closure encompassed three interconnected platforms: Step Finance (the core DeFi dashboard and portfolio tracker), SolanaFloor (an NFT analytics and Solana ecosystem media outlet), and Remora Markets (a tokenized real-world assets and lending protocol). Step Finance committed to a buyback program for STEP token holders using a pre-hack snapshot to determine fair valuations. Remora rToken holders were offered a structured redemption process to reclaim USDC, with rTokens represented as remaining fully backed on a one-to-one basis. No public timeline for completing these compensation mechanisms was confirmed in available sources.","heading":"Shutdown of Step Finance, SolanaFloor, and Remora Markets","severity":"critical","sources":[{"credibility":1,"name":"CoinTelegraph: Step Finance, SolanaFloor, Remora Markets Wind Down","type":"news_article","url":"https://cointelegraph.com/news/step-finance-solanafloor-remora-markets-wind-down-operations"},{"credibility":1,"name":"CoinDesk: Step Finance Shuts Operations After $27 Million January Hack","type":"news_article","url":"https://www.coindesk.com/business/2026/02/24/step-finance-shuts-operations-after-usd27-million-january-hack"},{"credibility":1,"name":"Yahoo Finance: Solana DeFi Project Step Finance to Wind Down Weeks After $29M Hack","type":"news_article","url":"https://finance.yahoo.com/news/solana-defi-project-step-finance-140151238.html"},{"credibility":2,"name":"Invezz: Solana DeFi Platform Step Finance Shuts Down After Hack","type":"news_article","url":"https://invezz.com/news/2026/02/24/solana-defi-platform-step-finance-shuts-down-after-hack/"}]},{"content":"Security analysts and post-mortems consistently identify the Step Finance breach as an operational security (OpSec) failure rather than a smart contract vulnerability. The primary attack surface was the human layer: private keys or signing credentials stored on or accessible via executive devices were exposed, allowing the attacker to authorize legitimate-looking transactions that moved funds without any on-chain protocol violation. Halborn and other security researchers noted the attack exemplified weak key management and insufficient access controls, an absence of monitoring during off-hours operations, and single points of failure in treasury authorization. The attack vector — compromising executive devices to extract private keys — has historically been linked to phishing, spear-phishing, or targeted malware campaigns. Step Finance's contracts had previously been audited, but those audits provided no protection against a credential compromise at the infrastructure layer. The incident was cited as part of a broader Q1 2026 pattern in which private key compromises accounted for the substantial majority of DeFi losses, including other high-profile incidents such as the Drift Protocol hack.","heading":"Operational Security Failure: Root Cause Analysis","severity":"high","sources":[{"credibility":2,"name":"Halborn: Explained — The Step Finance Hack (January 2026)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-step-finance-hack-january-2026"},{"credibility":2,"name":"CCN: 400M+ Lost to DeFi Exploits in 2026 — Drift Protocol, Rhea Finance, Step Finance Among Biggest","type":"news_article","url":"https://www.ccn.com/education/crypto/defi-hacks-2026-137m-lost-step-finance-truebit-resolv-exploits/"},{"credibility":2,"name":"Assure DeFi: Step Finance Hack Explained — $40M Executive Device Breach","type":"research","url":"https://www.assuredefi.com/blog/step-finance-hack-explained-40m-executive-device-breach"}]},{"content":"Step Finance was one of Solana's earliest and most widely used infrastructure projects, having operated since 2021 and serving an estimated 350,000 monthly active users at the time of closure. Its shutdown removed a major portfolio aggregation layer from the Solana ecosystem, affecting users who relied on Step for tracking positions across numerous Solana DeFi protocols. SolanaFloor's closure simultaneously eliminated a significant Solana-native media and NFT analytics outlet. The incident contributed to negative sentiment around Solana DeFi security more broadly and was cited alongside other Q1 2026 hacks — including the Drift Protocol breach — as evidence of systemic operational security weaknesses in the space. The hack was described by Tom's Hardware as \"the biggest crypto hack of the year, so far\" at the time of reporting in February 2026.","heading":"Broader Ecosystem Impact","severity":"high","sources":[{"credibility":1,"name":"Yahoo Finance: Step Finance and SolanaFloor Shut Down After Devastating Hack","type":"news_article","url":"https://finance.yahoo.com/news/step-finance-solanafloor-shut-down-021611434.html"},{"credibility":2,"name":"Crypto.news: Solana-Based Step Finance Shuts Down After $40M January Hack","type":"news_article","url":"https://crypto.news/step-finance-shutdown-solana-january-hack-2026/"},{"credibility":2,"name":"Tom's Hardware: $40 Million Worth of Crypto Stolen From Step Finance","type":"news_article","url":"https://www.tomshardware.com/tech-industry/cyber-security/usd40-million-worth-of-crypto-stolen-from-step-finance-hackers-compromise-executives-devices-to-gain-illicit-access"}]}],"sources_used":[{"credibility":1,"name":"CoinDesk: Step Finance Hit by $30 Million Treasury Hack","type":"news_article","url":"https://www.coindesk.com/business/2026/01/31/solana-based-defi-platform-step-finance-hit-by-usd30-million-treasury-hack-as-token-price-craters"},{"credibility":1,"name":"CoinDesk: Step Finance Shuts Operations After $27 Million January Hack","type":"news_article","url":"https://www.coindesk.com/business/2026/02/24/step-finance-shuts-operations-after-usd27-million-january-hack"},{"credibility":1,"name":"CoinTelegraph: Step Finance, SolanaFloor, Remora Markets Wind Down","type":"news_article","url":"https://cointelegraph.com/news/step-finance-solanafloor-remora-markets-wind-down-operations"},{"credibility":1,"name":"The Block: Step Finance Shuts Down","type":"news_article","url":"https://www.theblock.co/post/390964/step-finance-shuts-down"},{"credibility":1,"name":"The Record from Recorded Future News: Step Finance Shutting Down After $40 Million Theft","type":"news_article","url":"https://therecord.media/step-finance-cryptocurrency-theft-shutdown"},{"credibility":1,"name":"Yahoo Finance: Step Finance and SolanaFloor Shut Down After Devastating Hack","type":"news_article","url":"https://finance.yahoo.com/news/step-finance-solanafloor-shut-down-021611434.html"},{"credibility":1,"name":"Yahoo Finance: Solana DeFi Project Step Finance to Wind Down","type":"news_article","url":"https://finance.yahoo.com/news/solana-defi-project-step-finance-140151238.html"},{"credibility":2,"name":"Rekt News: Step Finance Rekt","type":"research","url":"https://rekt.news/step-finance-rekt"},{"credibility":2,"name":"Halborn: Explained — The Step Finance Hack (January 2026)","type":"research","url":"https://www.halborn.com/blog/post/explained-the-step-finance-hack-january-2026"},{"credibility":2,"name":"Crowdfund Insider: Step Finance Ceases Operations Following $40 Million Security Incident","type":"news_article","url":"https://www.crowdfundinsider.com/2026/02/263817-step-finance-ceases-operations-following-40-million-security-incident/"},{"credibility":2,"name":"Invezz: Solana DeFi Platform Step Finance Shuts Down After Hack","type":"news_article","url":"https://invezz.com/news/2026/02/24/solana-defi-platform-step-finance-shuts-down-after-hack/"},{"credibility":1,"name":"Kraken Support: Step Finance (STEP) Delisting","type":"official","url":"https://support.kraken.com/articles/step-delisting"},{"credibility":1,"name":"CoinDesk: Step Finance Raises $2M From Alameda Research, 3 Commas","type":"news_article","url":"https://www.coindesk.com/business/2021/04/13/solana-dashboard-step-finance-raises-2m-from-alameda-research-3-commas"},{"credibility":2,"name":"Assure DeFi: Step Finance Hack Explained — $40M Executive Device Breach","type":"research","url":"https://www.assuredefi.com/blog/step-finance-hack-explained-40m-executive-device-breach"},{"credibility":2,"name":"Halborn: Month in Review — Top DeFi Hacks of January 2026","type":"research","url":"https://www.halborn.com/blog/post/month-in-review-top-defi-hacks-of-january-2026"},{"credibility":2,"name":"CCN: 400M+ Lost to DeFi Exploits in 2026","type":"news_article","url":"https://www.ccn.com/education/crypto/defi-hacks-2026-137m-lost-step-finance-truebit-resolv-exploits/"},{"credibility":2,"name":"GovInfoSecurity: Cryptohack Roundup — Step Finance Shuts Down After Exploit","type":"news_article","url":"https://www.govinfosecurity.com/cryptohack-roundup-step-finance-shuts-down-after-exploit-a-30855"},{"credibility":2,"name":"Coinpedia: Solana Ecosystem Step Finance Shuts Down After $29M Hack","type":"news_article","url":"https://coinpedia.org/news/solana-ecosystem-step-finance-shuts-down-after-29m-hack/"}],"summary":"Step Finance, a Solana-based DeFi portfolio tracking dashboard founded in 2021, suffered a treasury breach on January 31, 2026, when attackers compromised executive team devices and drained approximately 261,854 SOL (valued at $27–40 million depending on reporting method). Unable to secure financing or an acquisition, Step Finance and its affiliated platforms SolanaFloor and Remora Markets announced permanent closure on February 24, 2026, making this one of the most consequential operational security failures in the Solana ecosystem to date.","timeline":[{"date":"2021-02-01","event":"Step Finance originates from a Solana hackathon, founded by George Harrap.","source":"The Defiant","source_url":"https://thedefiant.io/news/defi/step-finance-raises-2m-in-round-led-by-alameda-research"},{"date":"2021-04-13","event":"Step Finance raises $2 million seed round led by Alameda Research, with participation from 3 Commas Capital, Raydium, One Block, and Solidity Ventures.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2021/04/13/solana-dashboard-step-finance-raises-2m-from-alameda-research-3-commas"},{"date":"2021-08-01","event":"STEP token reaches an all-time high of approximately $10.20.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/step-finance-solanafloor-remora-markets-wind-down-operations"},{"date":"2026-01-31","event":"Attackers compromise executive team devices during APAC hours, gaining access to Step Finance treasury and fee wallets. Approximately 261,854–261,932 SOL (worth $27–29 million) is unstaked and withdrawn. Total losses including non-SOL assets later reported as approximately $40 million.","source":"CoinDesk / Rekt News","source_url":"https://www.coindesk.com/business/2026/01/31/solana-based-defi-platform-step-finance-hit-by-usd30-million-treasury-hack-as-token-price-craters"},{"date":"2026-01-31","event":"STEP token crashes more than 80% following breach disclosure. CertiK flags on-chain withdrawals.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/01/31/solana-based-defi-platform-step-finance-hit-by-usd30-million-treasury-hack-as-token-price-craters"},{"date":"2026-02-02","event":"Step Finance confirms root cause: executive team devices were compromised, exposing private keys. Team advises against STEP token engagement pending investigation.","source":"Rekt News","source_url":"https://rekt.news/step-finance-rekt"},{"date":"2026-02-24","event":"Step Finance announces immediate closure of all operations, including SolanaFloor and Remora Markets, after failing to secure financing or an acquisition. Co-founder George Harrap cites time pressure and confirmed partial buyback plans for STEP holders.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/step-finance-solanafloor-remora-markets-wind-down-operations"},{"date":"2026-02-24","event":"STEP token declines a further 36% on the shutdown announcement, reaching approximately $0.00057. Cumulative losses from pre-hack levels reach roughly 97%.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/02/24/step-finance-shuts-operations-after-usd27-million-january-hack"},{"date":"2026-03-20","event":"Kraken disables STEP deposits and trading as part of a three-phase delisting process.","source":"Kraken Support","source_url":"https://support.kraken.com/articles/step-delisting"},{"date":"2026-06-29","event":"Kraken schedules final liquidation of remaining STEP balances, converting to ETH at weighted market pricing.","source":"Kraken Support","source_url":"https://support.kraken.com/articles/step-delisting"}]},"v":1}