In January 2026, Step Finance suffered a hack in which the attackers drained an estimated $30 million in assets from the project’s Solana wallets. The root cause of the incident was compromised devices, likely leading to exposed private keys.
Inside the Attack
The Step Finance hack was initially described as using a “well-known” attack vector with details of the incident lacking. However, the nature of the incident — in which attackers were able to access and drain several wallets controlled by the project — pointed to compromised private keys.
This explanation was supported by later disclosures regarding the incident, which included the fact that the hack was enabled by the attackers’ gaining access to the devices of the project’s executive team. This likely allowed the attackers to compromise the project’s process for approving on-chain transactions, whether by gaining access to private keys or installing malware on the devices designed to corrupt the approval process and trick executives into approving transactions with malicious functionality.
After gaining control over the wallets in question, the attackers moved to unstake approximately 261,854 SOL, making it available to remove from the compromised accounts. They then transferred these tokens out of the wallets, causing the STEP token’s price to collapse by over 80%.
After detecting the incident, the Step Finance team moved to halt various parts of the platform. They were also able to recover approximately $4.7 million in Remora assets and other holdings after the incident.
Lessons Learned from the Attack
The Step Finance hack was one of the most expensive DeFi incidents of January 2026, with approximately $30 million in losses. This was an example of an attack exploiting off-chain security vulnerabilities, focusing on private keys and signing infrastructure rather than attempting to exploit vulnerabilities in the project’s smart contracts.
This incident underscores the importance of implementing private key security best practices, especially for high-value accounts that hold a significant percentage of a project’s treasury holdings. The use of cold wallets may have prevented this incident by reducing the risk that compromised devices could have exposed keys. Additionally, other security best practices, such as multi-signature wallets and endpoint security solutions, may have prevented the devices from being compromised or managed the potential threat that a compromised device posed to the protocol.
Halborn offers security advisory services that can help organizations to design and implement security programs to help protect against these types of threats. Get in touch to find out more.