Decentralized finance (DeFi) platform Step Finance has detected a breach over the weekend, with the company reporting that the devices used by members of its executive team were compromised and used to execute the hack. Blockchain security company CertiK posted on its incident monitoring account on X (via BleepingComputer) that 261,854 SOL has been illicitly withdrawn, estimated to be worth around $28.9 million. However, the DeFi platform later announced that the total amount lost is closer to $40 million.
“In the early afternoon hours of 31 January (APAC), approximately $40M was drained from the Step Finance treasury. This was a result of our executive team’s devices being compromised,” the company posted on X. It also said, “Through built-in security protections in Token22 and rapid coordination with partners, Step Finance was able to recover approximately $3.7M in Remora assets and $1M in other positions at the time of writing.”
Statement on Recent Security IncidentIn the early afternoon hours of 31 January (APAC), approximately $40M was drained from the Step Finance treasury. This was a result of our executive team’s devices being compromised.Immediately after detecting the breach, we began working…February 2, 2026
This is the biggest reported loss from one platform in 2026, so far, although CertiK reported on X that an individual lost $284 million due to a social engineering scam. In total, almost $400 million has been lost in 42 reported incidents, with more than 10%, around $4.366 million, already recovered. Still, this is a modest sum compared to previous records. Even if this trend continues, it would only result in about $4 billion in losses — a paltry sum compared to the estimated $17 billion stolen in 2025 alone.
Step Finance has halted some operations to help secure its systems, and although its Remora Markets trading platform was affected, it was able to recover all stock involved. Furthermore, all Remora assets are held 1:1 in the company’s brokerage account, reassuring users that nothing is missing. Nevertheless, the company said that users shouldn’t use their STEP tokens until the investigation has concluded and operations return to normal.
It’s unclear how the devices of the executive team were compromised, as the investigation is still ongoing, but the company said that the attack was “facilitated through a well-known attack vector.” When it comes to cryptocurrencies, this usually refers to hackers gaining access to hardware and stealing private keys, seed phrases, or even active sessions stored in cache — the most common method of draining treasury wallets without exploiting smart contracts.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
