Another one bites the dust. According to TechCrunch, blockchain lending company Figure recently confirmed it was targeted by a socially engineered data breach. A lot of client information got out because of the occurrence, which was said to be prompted by a group going after just one employee of the organization. This event is a good example of how even the best fintech companies can be weak when individuals are targeted.
Key Takeaways:
- Figure, a well-known blockchain lending company, had a data breach that was caused by an employee being tricked into giving over information.
- The hack put about 2.5GB of consumer data at risk and then leaked it.
- This incident underscores the critical importance of employee cyber awareness and robust internal security protocols to defend against human-targeted cyberattacks.
About the attack
Known foes and tactics
The breach at Figure initiated when an employee fell victim to a social engineering attack. While the exact details of the vector (e.g., phishing email, vishing call, deepfake impersonation) are not fully disclosed, the outcome was, as usual, unauthorized access to company systems.
The ShinyHunters organization claims credit for the attack on their dark web site. Supposedly, they tricked an employee into giving them access and information that made the breach easier. It looks like this is another victim of the group's large-scale plan to impersonate the identity and access management platform Otka.
It looks like the organization uses typical patterns to get beyond technological protections by taking advantage of trust and human error instead of complicated technical flaws. Reports say that after the attack, the hackers leaked almost 2.5GB of client data, which shows how serious the incident was.
Download Arsen’s 2026 Report for Social Engineering Risks for Financial Services →
So what’s next?
TechCrunch said that it looked at some of the data and found that the files supposedly had users' full names, home addresses, birth dates, and phone numbers. For the business, it entails damage to its reputation, possible legal and regulatory penalties, and the cost of responding to and fixing the problem. For customers whose personal information was exposed, this could lead to more targeted phishing, identity theft, or other types of fraud.
This event could also have an influence on the finance and blockchain industries, reminding them that even the most advanced technology systems can be hacked by taking advantage of the most vulnerable part of the system: people. It strengthens the idea that a robust security posture needs to include more than just technical controls; it also needs to include a "human firewall.”
Learn more about social engineering tricks on our dedicated knowledge center →
What’s to conclude?
Fintech and crypto companies are primary targets.
- Early 2026, cybersecurity researcher Jeremy Fowler discovered a database containing approximately 149 million accounts stolen, including approximately 420,000 credentials associated with Binance users.
- Last summer, Coinbase was targeted by a cyber criminals following a data breach (and refused to pay the $20 milions ransom).
- Back in novembre 2026, SitusAMC, a third-party for many banks providing real estate finance services, was victim of a data breach that exposed customer data of majors banks.
Threat actors that use social engineering to obtain what they want are especially interested in the entire financial sector. And this for a number of reasons:
Financial companies adopt hierarchical authority frameworks, which permit senior managers and executives change the rules.
They have to cope with tricky compliance circumstances where attackers can use regulations that aren't apparent.
People can be manipulated by high-pressure tasks like incident response and transactions that need to be done quickly.
Attackers know that the damage to a brand's reputation is too significant for them to turn down ransom when it means getting people's money.
Learn more about social engineering tricks on our dedicated knowledge center →
For For fintech companies, the problem is may be trickier. They deal with a lot of private financial information, but they don't always have the strong, more established security measures and safety routine that big banks may have. Attacks on financial services companies are on the rise, and generative AI has sped up this trend, from AI-powered phishing operations to live deepfake attacks. The human element, which has historically been the main target of attacks, is becoming more and more vulnerable, and CISOs and cybersecurity teams can no longer just respond. They have to prepare.
Learn about voice phishing protection for financial services here →
How financial companies should deal with social engineering
When it comes to fintech, like crypto exchanges and neobanks, protecting against social engineering isn't only a tech problem; it's also a people problem. This is where security teams should be focusing their efforts.
What to do about social engineering
- Keep training all staff on how to spot phishing efforts in emails, texts, and phone calls
- Include training on how to spot impersonation methods in new employee orientation and regular refreshers, not just once a year.
- Include social engineering tests in your penetration testing to find real weaknesses before hackers do.
- Set up explicit rules that everyone must follow for checking any request for sensitive information or access, especially if it comes from an outside source or an unusual route.
Things to do for overall security management
- Use robust multi-factor authentication (MFA) on all systems and access points without fail.
- Use zero-trust principles to limit the damage if an employee is hacked.
- Use stringent access controls so that employees can only get to the data and systems they really need.
- Treat these measures as living policies and check on them and change them often.
Download Arsen’s 2026 Report for Social Engineering Risks for Financial Services →
