Solana app hacked — $30M

Step Finance — the Solana portfolio‑management dashboard — disclosed on Jan. 31, 2026 that 261,854 SOL was unstaked and moved from treasury wallets during the incident (about $27–30M at the time). (coindesk.com) The project later said the breach stemmed from compromised executive devices (an off‑chain key/endpoint compromise), not a smart‑contract exploit. (bleepingcomputer.com) On‑chain monitoring firms flagged the unauthorized unstake and transfers as they happened, with blockchain trackers and CertiK tracing funds to external, unknown addresses. (whale-alert.io) Step Finance said remediation and Token22 protections, plus partner coordination, recovered roughly $4.7 million of positions (about $3.7M in Remora assets and ~$1M in other holdings). (halborn.com) The project’s governance token STEP plunged more than 80–90% after the outflows, and the team announced on Feb. 23–24, 2026 that it would wind down Step Finance, SolanaFloor and Remora Markets after failing to secure financing or an acquisition. (cointelegraph.com) Step Finance said its internal response included calling in external cybersecurity firms and notifying authorities while investigations continue into the attacker’s identity and the exact vector used to compromise executive endpoints. (theblock.co)