Publicly traded blockchain lender Figure has confirmed that customer information was exposed after a successful social engineering attack on one of its employees, leading to a data breach now claimed by the notorious hacking group ShinyHunters.
Figure Technology acknowledged on Friday that an attacker gained access to its systems by manipulating an employee, ultimately enabling the download of internal files. The company, which offers blockchain-based lending and home equity products, said it moved quickly to contain the incident and has launched a forensic investigation.
According to the firm’s statement, the breach stemmed from a targeted social engineering campaign rather than a direct technical exploit. “We recently identified that an employee was socially engineered, and that allowed an actor to download a limited number of files through their account,” Figure said. “We acted quickly to block the activity and retained a forensic firm to investigate what files were affected.”
The hacking collective ShinyHunters has taken responsibility for the attack, claiming that Figure refused to pay a ransom demand. In response, the group says it published roughly 2.5 gigabytes of data allegedly taken from the company’s systems. The dataset reportedly contains sensitive customer information, including full names, residential addresses, dates of birth, and phone numbers.
Journalists who reviewed a sample of the stolen material say the files appear to include personal details tied to Figure’s lending business. While the company has so far described the incident as involving “a limited number of files,” the precise number of affected individuals remains unclear. Figure has not publicly disclosed how many customers may have been impacted, nor has it detailed whether financial account numbers, loan specifics, or government ID numbers were compromised.
Social engineering attacks typically rely on psychological manipulation rather than advanced hacking techniques. Instead of trying to break through code or encryption, attackers target employees via convincing emails, calls, text messages, or fake login pages. The goal is to trick a victim into disclosing credentials, approving access, or downloading malware that opens a path into corporate systems.
In incidents like this, criminals may pose as executives, vendors, IT staff, or regulators to gain trust. Once an employee is persuaded to click a malicious link or provide login information, attackers can often move through internal systems under the guise of a legitimate user. Because the access appears to come from a real account with valid credentials, these intrusions can be difficult to detect immediately with traditional security tools.
Figure says that once it detected suspicious activity, it cut off the attacker’s access and brought in outside cybersecurity specialists to conduct a detailed review. Forensic firms typically examine system logs, access records, and file histories to determine exactly what was opened, downloaded, or exfiltrated, and over what time period. That process is often lengthy, and new information about the scope of a breach can emerge days or weeks after the initial disclosure.
For customers, the categories of data reportedly involved—names, addresses, dates of birth, and phone numbers—can be highly valuable to fraudsters. Even without direct access to bank accounts, such information can be used to craft convincing phishing campaigns, attempt account takeovers at other financial institutions, or support identity theft. Attackers can also combine leaked data with information from previous breaches to build more complete profiles of potential victims.
Figure will likely be expected to notify affected individuals and regulators once the investigation provides a clearer picture of the impact. Financial institutions are typically required to explain what information was exposed, when the incident occurred, what steps have been taken to secure systems, and what customers should do to protect themselves. In similar cases, companies sometimes offer credit monitoring or identity theft protection services, though Figure has not yet publicly detailed any such measures.
The breach underscores a broader trend in the financial and crypto-adjacent sectors: attackers increasingly focus on people rather than purely on infrastructure. Even organizations with sophisticated technical defenses can be undermined if an employee is tricked into giving away access. For firms operating at the intersection of traditional finance and blockchain technology, reputational damage from such incidents can be significant, especially as they fight to position themselves as secure alternatives to legacy institutions.
It also highlights the growing prominence of groups like ShinyHunters, which have been linked to multiple high-profile data thefts across industries. Their strategy typically includes stealing bulk customer data, demanding a ransom, and threatening or executing public leaks if the target refuses to pay. Whether or not a company engages with these demands, once information is posted or sold on criminal forums, it can circulate indefinitely.
For investors and customers watching the digital asset lending space, this incident raises questions about operational security practices at firms that handle both personal data and complex financial instruments. While blockchain technology itself is often promoted as tamper-resistant and transparent, the organizations building services on top of it still rely on traditional IT systems, employee accounts, and corporate processes—all of which can become entry points for attackers.
To reduce the risk of similar events, experts typically recommend multi-layered defenses against social engineering. These often include regular employee training with realistic phishing simulations, strict identity verification procedures for internal requests, multi-factor authentication on all sensitive systems, and tight controls on which staff can access customer data. Continuous monitoring for unusual login patterns or large data downloads can also help flag suspicious behavior more quickly.
Customers of Figure and comparable lenders can take several protective steps in light of breaches like this. Monitoring bank and credit accounts for unauthorized activity, being cautious about unexpected calls or emails requesting personal information, and enabling extra verification steps on financial profiles can all help. If Figure ultimately confirms that data such as Social Security numbers or government IDs were exposed, placing fraud alerts or credit freezes may also be advisable.
Regulators and policymakers are likely to scrutinize how firms in the fintech and blockchain lending sectors manage consumer information, especially as more traditional financial products are reimagined using distributed ledger technology. Compliance with data protection rules, incident reporting requirements, and cybersecurity standards is becoming a central part of evaluating the health and reliability of these businesses.
Inside companies like Figure, a breach tied to social engineering often prompts a reassessment of internal culture around security. Organizations may need to reinforce the idea that any unexpected request—no matter how urgent it sounds or how senior the supposed requester is—should be verified through an independent channel. Encouraging employees to slow down, double-check identities, and report suspicious outreach without fear of punishment can significantly reduce the success rate of such attacks.
The Figure incident serves as a reminder that in modern financial services, trust depends on more than product performance or market position. It rests equally on how well firms can safeguard the information that customers share with them. As the investigation progresses and more details emerge, the company’s response—and any concrete steps it takes to harden defenses—will play a key role in determining how much long-term damage this breach causes to its reputation and to confidence in blockchain-based lending platforms more broadly.
Ultimately, while the underlying blockchain rails may be secure, the human element remains a crucial vulnerability. Until organizations treat social engineering risk with the same seriousness as technical exploits, similar breaches are likely to continue across the financial and crypto landscape.