Execs Get SIM‑Swapped, $30M Gets Yeeted: Step Finance Cries "Rug Pull" on Itself

The Solana DeFi aggregator Step Finance, along with its sibling projects SolanaFloor and Remora Markets, has officially thrown in the towel. The collective is shutting down immediately, a final act following a January security breach that left them with more empty wallets than viable options, despite last-ditch fundraising and acquisition chats.

The heist drained approximately $30 million from Step's Solana coffers. Sleuthing revealed the entry point was the compromised mobile devices of team executives—a classic case of getting "SIM‑swapped back to the stone age." This likely gave attackers a backstage pass to private keys or let them install malware to sign malicious on-chain transactions. With that power, they unstaked a cool 261,854 SOL and whisked it away from project wallets, sending the STEP token into a death spiral, plummeting over 80%.

In a move of damage control that felt like using a band-aid on a bullet wound, the team froze parts of the platform to stop the bleeding. They later managed to claw back about $4.7 million in assets tied to Remora and other holdings. As part of the funeral arrangements, Step Finance will run a buy-back program for STEP holders based on a pre-hack snapshot, while Remora Markets preps a redemption process for its rToken bagholders.

This little escapade easily ranks among January 2026's most expensive DeFi self-owns. According to the ever-busy folks at PeckShield, 2025 saw a whopping $4.04 billion evaporated by scams and hacks—a 34% increase from 2024. Of that total, $2.67 billion came from pure hacks and $1.37 billion from scams, with the scam category ballooning 64% year-over-year. The year logged over 200 hack cases (scams not included), with February taking the crown as the most costly month thanks to a single $1.51 billion breach at Bybit. PeckShield points out a worrying trend toward social-engineering attacks that target high-net-worth individuals and centralized entities, because why hack a smart contract when you can just phish a C-suite exec's phone?