Potential breaches of fintech's client accounts have sparked a debate about the security of deposits held with trading firms.
2FA is often the only line of defense used by CFD brokers, and their security measures lag significantly behind those of the banking sector.
While two-factor authentication, for example, is mandatory at Plus500, Robinhood merely “encourages” users to enable it.
The recent
XTB security breach that allegedly cost a Polish client approximately 150,000
zlotys ($38,000) has ignited a fierce debate about whether optional
security measures are sufficient for CFD brokers and retail trading
platforms in 2025.
Following
the incident, where hackers reportedly executed thousands of rapid trades to
drain a client's account, cybersecurity experts are calling for fundamental
changes to how financial companies protect client assets.
As it turns
out, the XTB case is not isolated, and when it comes to retail trading
companies, the saying “you can bank on it” doesn’t always hold true.
The Anatomy of a Modern
Financial Hack
Rather than
attempting direct fund transfers, which can only be executed on a verified
account, hackers opened simultaneous buy-sell transactions on low-liquidity
securities, consistently profiting on one side while draining the victim's XTB account
on the other. The client had not enabled two-factor authentication (2FA),
a detail that has become central to the broader security debate.
Mate Ivanszky, Founder & CEO of Matworks.
“2FA
isn't just recommended, it's a must. Even the strongest password is still a
single point of failure. A simple password combined with enforced 2FA is far
safer than forcing users into complex ones they'll end up writing down,”
commented Mate Ivanszky, Founder & CEO of Matworks.
What makes
this case particularly concerning is the apparent lack of automated fraud
detection. The attack exhibited multiple red flags that should have triggered
immediate security responses: an unfamiliar IP address, extraordinarily high
trading volumes, and behavior completely outside the client's historical
patterns.
If a trader
typically performs two or three operations per month and suddenly executes
hundreds in a single day, the system should catch that. XTB, however, takes a
different view, citing the specific nature of the market as its explanation.
“Due to the
nature of the market and the speed at which investment decisions are made, we
do not apply automatic restrictions based on changes in investor preferences, such
as the initiation of trading in different instruments,” XTB’s PR department explained.
Expert
Consensus:
Optional Security is No Longer Acceptable
Jon Bellard, Head of Product at Rootshell Security
Jon
Bellard, Head of Product at Rootshell Security, argues that the incident
exposes fundamental gaps in modern fintech security. “While the user not enabling 2FA is a
clear risk factor, platforms like XTB carry a responsibility to protect users
even when they make mistakes,” he states. “In 2025, it's not enough to offer
2FA, it should be mandatory, particularly for high-risk platforms.”
And while 2FA
might seem like a legal requirement today, XTB explains that this is not always
the case: “PSD2 regulations and payment services laws apply to companies
providing payment services, not brokerage firms like XTB. Therefore, these
regulations only apply to our eWallet payment service provided by DiPocket,
where we implemented strong authentication in August 2024.”
This
highlights that brokerage activities do not face the same mandatory security
requirements as traditional banking services, even though they involve similar
financial risks.
However, in
an interview with FinanceMagnates.com, XTB’s CEO noted that 80% of the
company’s new clients invest in stocks and ETFs rather than CFDs. He also
reiterated XTB’s ambition to become an “all-in-one financial super app.” Given
this shift toward more bank-like services, shouldn't the company prioritize
stronger security measures?
A Mixed Picture of Industry
Standard
While XTB's
approach appears questionable, it seems that CFD broker and retail trading
apps security standards across the industry remain inconsistent. The reality is
that many don't implement significantly more security measures than XTB's original setup, suggesting this is an industry-wide challenge rather than an
isolated problem.
FinanceMagnates.com
has verified that Robinhood also offers only optional 2FA. While Plus500 does
require 2FA, when it comes to additional protections, such as IP blocking or
geo-restrictions, these are generally lacking. Whether it's a large publicly
listed broker or a fintech focused on retail trading, most rely on fraud
detection systems, login alerts, and manual reviews.
Marijus Breidis, the CTO at NordVPN
“Security
cannot be a user's responsibility when entrusted with client money,” commented
Marijus Breidis, the CTO at NordVPN. “Behavioral risk detection should be
enabled by default, not buried in settings menus. Platforms prioritize
convenience over fundamental security and then blame their customers when the
inevitable happens. That approach is irresponsible and completely surrenders
their duty to protect client assets.”
Ivanszky agrees with his statement, adding that regulated financial institutions have a clear and enforceable duty to safeguard client funds. “This responsibility
begins with ensuring that access to client accounts is properly authenticated,
and continues through every transaction that could affect the security or
disposition of those funds.”
XTB Does Not Confirm
Incident, but Increases Security Measures
XTB neither
confirms nor denies that such an incident occurred, but emphasizes that no
similar breach has ever taken place involving clients with 2FA enabled.
Moreover, following
the public outcry, XTB may end up being more secure than industry standard. The
company’s press office outlined its current approach: “In recent weeks, we
have significantly simplified and expanded 2FA. Extended testing has already
been completed, and as of July 14, clients will have two options: SMS codes or
an authenticator app.”
The firm will also begin automatically enabling 2FA for existing clients, and
starting in Q4 2025, all new users will be required to activate it. The company
has also introduced additional monitoring systems.
“We
continuously monitor information about password leaks published online and
cross-check them with our database. If a match is found, we notify clients to
change their password,” the spokesperson said. “We have also built
and continue to expand our internal database of suspicious IP addresses, logins
from such locations trigger enhanced security protocols.”
The recent
XTB security breach that allegedly cost a Polish client approximately 150,000
zlotys ($38,000) has ignited a fierce debate about whether optional
security measures are sufficient for CFD brokers and retail trading
platforms in 2025.
Following
the incident, where hackers reportedly executed thousands of rapid trades to
drain a client's account, cybersecurity experts are calling for fundamental
changes to how financial companies protect client assets.
As it turns
out, the XTB case is not isolated, and when it comes to retail trading
companies, the saying “you can bank on it” doesn’t always hold true.
The Anatomy of a Modern
Financial Hack
Rather than
attempting direct fund transfers, which can only be executed on a verified
account, hackers opened simultaneous buy-sell transactions on low-liquidity
securities, consistently profiting on one side while draining the victim's XTB account
on the other. The client had not enabled two-factor authentication (2FA),
a detail that has become central to the broader security debate.
Mate Ivanszky, Founder & CEO of Matworks.
“2FA
isn't just recommended, it's a must. Even the strongest password is still a
single point of failure. A simple password combined with enforced 2FA is far
safer than forcing users into complex ones they'll end up writing down,”
commented Mate Ivanszky, Founder & CEO of Matworks.
What makes
this case particularly concerning is the apparent lack of automated fraud
detection. The attack exhibited multiple red flags that should have triggered
immediate security responses: an unfamiliar IP address, extraordinarily high
trading volumes, and behavior completely outside the client's historical
patterns.
If a trader
typically performs two or three operations per month and suddenly executes
hundreds in a single day, the system should catch that. XTB, however, takes a
different view, citing the specific nature of the market as its explanation.
“Due to the
nature of the market and the speed at which investment decisions are made, we
do not apply automatic restrictions based on changes in investor preferences, such
as the initiation of trading in different instruments,” XTB’s PR department explained.
Expert
Consensus:
Optional Security is No Longer Acceptable
Jon Bellard, Head of Product at Rootshell Security
Jon
Bellard, Head of Product at Rootshell Security, argues that the incident
exposes fundamental gaps in modern fintech security. “While the user not enabling 2FA is a
clear risk factor, platforms like XTB carry a responsibility to protect users
even when they make mistakes,” he states. “In 2025, it's not enough to offer
2FA, it should be mandatory, particularly for high-risk platforms.”
And while 2FA
might seem like a legal requirement today, XTB explains that this is not always
the case: “PSD2 regulations and payment services laws apply to companies
providing payment services, not brokerage firms like XTB. Therefore, these
regulations only apply to our eWallet payment service provided by DiPocket,
where we implemented strong authentication in August 2024.”
This
highlights that brokerage activities do not face the same mandatory security
requirements as traditional banking services, even though they involve similar
financial risks.
However, in
an interview with FinanceMagnates.com, XTB’s CEO noted that 80% of the
company’s new clients invest in stocks and ETFs rather than CFDs. He also
reiterated XTB’s ambition to become an “all-in-one financial super app.” Given
this shift toward more bank-like services, shouldn't the company prioritize
stronger security measures?
A Mixed Picture of Industry
Standard
While XTB's
approach appears questionable, it seems that CFD broker and retail trading
apps security standards across the industry remain inconsistent. The reality is
that many don't implement significantly more security measures than XTB's original setup, suggesting this is an industry-wide challenge rather than an
isolated problem.
FinanceMagnates.com
has verified that Robinhood also offers only optional 2FA. While Plus500 does
require 2FA, when it comes to additional protections, such as IP blocking or
geo-restrictions, these are generally lacking. Whether it's a large publicly
listed broker or a fintech focused on retail trading, most rely on fraud
detection systems, login alerts, and manual reviews.
Marijus Breidis, the CTO at NordVPN
“Security
cannot be a user's responsibility when entrusted with client money,” commented
Marijus Breidis, the CTO at NordVPN. “Behavioral risk detection should be
enabled by default, not buried in settings menus. Platforms prioritize
convenience over fundamental security and then blame their customers when the
inevitable happens. That approach is irresponsible and completely surrenders
their duty to protect client assets.”
Ivanszky agrees with his statement, adding that regulated financial institutions have a clear and enforceable duty to safeguard client funds. “This responsibility
begins with ensuring that access to client accounts is properly authenticated,
and continues through every transaction that could affect the security or
disposition of those funds.”
XTB Does Not Confirm
Incident, but Increases Security Measures
XTB neither
confirms nor denies that such an incident occurred, but emphasizes that no
similar breach has ever taken place involving clients with 2FA enabled.
Moreover, following
the public outcry, XTB may end up being more secure than industry standard. The
company’s press office outlined its current approach: “In recent weeks, we
have significantly simplified and expanded 2FA. Extended testing has already
been completed, and as of July 14, clients will have two options: SMS codes or
an authenticator app.”
The firm will also begin automatically enabling 2FA for existing clients, and
starting in Q4 2025, all new users will be required to activate it. The company
has also introduced additional monitoring systems.
“We
continuously monitor information about password leaks published online and
cross-check them with our database. If a match is found, we notify clients to
change their password,” the spokesperson said. “We have also built
and continue to expand our internal database of suspicious IP addresses, logins
from such locations trigger enhanced security protocols.”
Damian's adventure with financial markets began at the Cracow University of Economics, where he obtained his MA in finance and accounting. Starting from the retail trader perspective, he collaborated with brokerage houses and financial portals in Poland as an independent editor and content manager. His adventure with Finance Magnates began in 2016, where he is working as a business intelligence analyst.
In this video, we take an in-depth look at @BlueberryMarketsForex , a forex and CFD broker operating since 2016, offering access to multiple trading platforms, over 1,000 instruments, and flexible account types for different trading styles.
We break down Blueberry’s regulatory structure, including its Australian Financial Services License (AFSL), as well as its authorisation and registrations in other jurisdictions. The review also covers supported platforms such as MetaTrader 4, MetaTrader 5, cTrader, TradingView, Blueberry.X, and web-based trading.
You’ll learn about available instruments across forex, commodities, indices, share CFDs, and crypto CFDs, along with leverage options, minimum and maximum trade sizes, and how Blueberry structures its Standard and Raw accounts.
We also explain spreads, commissions, swap rates, swap-free account availability, funding and withdrawal methods, processing times, and what traders can expect from customer support and additional services.
Watch the full review to see whether Blueberry’s trading setup aligns with your experience level, strategy, and risk tolerance.
📣 Stay up to date with the latest in finance and trading. Follow Finance Magnates for industry news, insights, and global event coverage.
Connect with us:
🔗 LinkedIn: /financemagnates
👍 Facebook: /financemagnates
📸 Instagram: https://www.instagram.com/financemagnates
🐦 X: https://x.com/financemagnates
🎥 TikTok: https://www.tiktok.com/tag/financemagnates
▶️ YouTube: /@financemagnates_official
#Blueberry #BlueberryMarkets #BrokerReview #ForexBroker #CFDTrading #OnlineTrading #FinanceMagnates #TradingPlatforms #MarketInsights
In this video, we take an in-depth look at @BlueberryMarketsForex , a forex and CFD broker operating since 2016, offering access to multiple trading platforms, over 1,000 instruments, and flexible account types for different trading styles.
We break down Blueberry’s regulatory structure, including its Australian Financial Services License (AFSL), as well as its authorisation and registrations in other jurisdictions. The review also covers supported platforms such as MetaTrader 4, MetaTrader 5, cTrader, TradingView, Blueberry.X, and web-based trading.
You’ll learn about available instruments across forex, commodities, indices, share CFDs, and crypto CFDs, along with leverage options, minimum and maximum trade sizes, and how Blueberry structures its Standard and Raw accounts.
We also explain spreads, commissions, swap rates, swap-free account availability, funding and withdrawal methods, processing times, and what traders can expect from customer support and additional services.
Watch the full review to see whether Blueberry’s trading setup aligns with your experience level, strategy, and risk tolerance.
📣 Stay up to date with the latest in finance and trading. Follow Finance Magnates for industry news, insights, and global event coverage.
Connect with us:
🔗 LinkedIn: /financemagnates
👍 Facebook: /financemagnates
📸 Instagram: https://www.instagram.com/financemagnates
🐦 X: https://x.com/financemagnates
🎥 TikTok: https://www.tiktok.com/tag/financemagnates
▶️ YouTube: /@financemagnates_official
#Blueberry #BlueberryMarkets #BrokerReview #ForexBroker #CFDTrading #OnlineTrading #FinanceMagnates #TradingPlatforms #MarketInsights
Exness CMO Alfonso Cardalda on Cape Town office launch, Africa growth, and marketing strategy
Exness CMO Alfonso Cardalda on Cape Town office launch, Africa growth, and marketing strategy
Exness is expanding its presence in Africa, and in this exclusive interview, CMO Alfonso Cardalda shares how.
Filmed during the grand opening of Exness’s new Cape Town office, Alfonso sits down with Andrea Badiola Mateos from Finance Magnates to discuss:
- Exness’s marketing approach in South Africa
- What makes their trading product stand out
- Customer retention vs. acquisition strategies
- The role of local influencers
- Managing growth across emerging markets
👉 Watch the full interview for fundamental insights into the future of trading in Africa.
#Exness #Forex #Trading #SouthAfrica #CapeTown #Finance #FinanceMagnates
Exness is expanding its presence in Africa, and in this exclusive interview, CMO Alfonso Cardalda shares how.
Filmed during the grand opening of Exness’s new Cape Town office, Alfonso sits down with Andrea Badiola Mateos from Finance Magnates to discuss:
- Exness’s marketing approach in South Africa
- What makes their trading product stand out
- Customer retention vs. acquisition strategies
- The role of local influencers
- Managing growth across emerging markets
👉 Watch the full interview for fundamental insights into the future of trading in Africa.
#Exness #Forex #Trading #SouthAfrica #CapeTown #Finance #FinanceMagnates
How does the Finance Magnates newsroom handle sensitive updates that may affect a brand?
How does the Finance Magnates newsroom handle sensitive updates that may affect a brand?
Yam Yehoshua, Editor-in-Chief at Finance Magnates, explains the approach: reaching out before publication, hearing all sides, and making careful, case-by-case decisions with balance and responsibility.
⚖ Balanced reporting
📞 Right of response
📰 Responsible journalism
#FinanceMagnates #FinancialJournalism #ResponsibleReporting #FinanceNews #EditorialStandards
Yam Yehoshua, Editor-in-Chief at Finance Magnates, explains the approach: reaching out before publication, hearing all sides, and making careful, case-by-case decisions with balance and responsibility.
⚖ Balanced reporting
📞 Right of response
📰 Responsible journalism
#FinanceMagnates #FinancialJournalism #ResponsibleReporting #FinanceNews #EditorialStandards
Executive Interview | Kieran Duff | Head of UK Growth & Business Development, Darwinex | FMLS:25
Executive Interview | Kieran Duff | Head of UK Growth & Business Development, Darwinex | FMLS:25
Here is our conversation with Kieran Duff, who brings a rare dual view of the market as both a broker and a trader at Darwinex.
We begin with his take on the Summit and then turn to broker growth. Kieran shares one quick, practical tip brokers can use right now to improve performance. We also cover the rising spotlight on prop trading and whether it is good or bad for the trading industry.
Kieran explains where Darwinex sits on the CFDs-broker-meets-funding spectrum, and how the model differs from the typical setups seen across the market.
We finish with a look at how he uses AI in his daily workflow — both inside the brokerage and in his own trading.
Here is our conversation with Kieran Duff, who brings a rare dual view of the market as both a broker and a trader at Darwinex.
We begin with his take on the Summit and then turn to broker growth. Kieran shares one quick, practical tip brokers can use right now to improve performance. We also cover the rising spotlight on prop trading and whether it is good or bad for the trading industry.
Kieran explains where Darwinex sits on the CFDs-broker-meets-funding spectrum, and how the model differs from the typical setups seen across the market.
We finish with a look at how he uses AI in his daily workflow — both inside the brokerage and in his own trading.
Why does trust matter in financial news? #TrustedNews #FinanceNews #CapitalMarkets
Why does trust matter in financial news? #TrustedNews #FinanceNews #CapitalMarkets
According to Yam Yehoshua, Editor-in-Chief at Finance Magnates, in a world flooded with information, the difference lies in rigorous cross-checking, human scrutiny, and a commitment to publishing only factual, trustworthy reporting.
📰 Verified reporting
🔎 Human-led scrutiny
✅ Facts over noise
According to Yam Yehoshua, Editor-in-Chief at Finance Magnates, in a world flooded with information, the difference lies in rigorous cross-checking, human scrutiny, and a commitment to publishing only factual, trustworthy reporting.
📰 Verified reporting
🔎 Human-led scrutiny
✅ Facts over noise
