Blockchain Fintech Giant Figure Confirms Data Breach After Phishing Attack, ShinyHunters Claims Responsibility

Blockchain lending company Figure Technology Solutions has confirmed it suffered a cyberattack that resulted in the theft of sensitive customer data, following a phishing incident involving one of its employees. The U.S.-based fintech firm disclosed that attackers accessed internal systems and exfiltrated what it described as a “limited number of files.”

The company, which operates its own blockchain infrastructure to originate and record home equity lines of credit and other financial products, said it is investigating the scope of the breach and has begun notifying affected individuals. Figure is offering free identity theft protection and credit monitoring services as part of its response.

According to reporting by TechCrunch, the breach may be linked to the data extortion group ShinyHunters, which has claimed responsibility for the incident.

Phishing Entry Point Leads to Data Theft

Figure told TechCrunch that the compromise began when an employee fell victim to a phishing attack, granting unauthorized access to company systems. Once inside the environment, attackers were able to extract internal files containing customer information.

While the company has not disclosed the number of individuals affected, TechCrunch reported that the exposed dataset includes full names, postal addresses, dates of birth, and phone numbers. Email addresses were reportedly not part of the stolen data.

The absence of email data may reduce the likelihood of traditional phishing campaigns. However, security experts warn that the exposed records significantly increase the risk of voice phishing and identity-based fraud schemes.

ShinyHunters’ Data Extortion Playbook

ShinyHunters is widely known for conducting data exfiltration campaigns without deploying ransomware encryptors. Instead of locking victim systems, the group focuses on stealing sensitive information and demanding payment in exchange for deleting the data.

As part of its standard tactic, the group often posts samples of stolen records on its dark web leak site to validate claims and increase pressure on victims to negotiate. According to TechCrunch, a member of the hacking group indicated that Figure was among companies compromised in connection with a broader Okta single sign-on incident.

The alleged link to an Okta SSO breach raises further questions about third-party authentication risk and the cascading effects of identity platform compromises.

Fintech, Blockchain, and Elevated Risk

Figure operates a proprietary blockchain platform used to originate and record loans, particularly home equity lines of credit. The company also manages marketplaces that enable financial institutions to trade tokenized loans and other real-world assets.

By positioning itself as a faster, lower-cost alternative to traditional loan processing systems, Figure has attracted significant attention within the fintech ecosystem. However, the handling of sensitive financial and personal data makes such platforms high-value targets for data extortion groups.

Even without payment card or email data exposure, combinations of names, addresses, birth dates, and phone numbers provide ample material for social engineering campaigns.

Rising Threat of AI-Enhanced Vishing

With generative artificial intelligence tools becoming more accessible, voice phishing attacks have grown increasingly sophisticated. Attackers can use personal details from breached datasets to craft convincing scripts or deploy AI-driven voice cloning techniques.

In the absence of email addresses, attackers may pivot toward targeted vishing campaigns impersonating financial institutions or support staff. Experts warn that stolen personal identifiers enable threat actors to bypass common verification checks during phone-based fraud attempts.

Figure has not publicly confirmed the total number of affected customers, nor whether the breach directly stemmed from the reported Okta single sign-on incident. The company stated it continues to investigate the matter.

The incident underscores a persistent reality in the fintech and blockchain sectors. Advanced lending infrastructure and tokenized asset marketplaces may operate on modern technology stacks, but identity-based attacks and phishing remain among the most effective entry points for adversaries.