XTB, the Warsaw-listed investment app, announced today (Tuesday) it has rolled out an emergency lock feature that lets clients freeze all financial activity on their account with a single tap if they suspect unauthorized access, the company said.
Activating the lock simultaneously halts trading in all financial instruments, freezes withdrawals from every currency account, and cuts off eWallet transactions entirely, XTB said. Getting back in requires a password change followed by a facial recognition scan, the company's way of verifying that the person restoring access is the account's rightful owner, not an attacker who may still have hold of a device.
"Digital and cybersecurity threats are rising fast, and still, too many people feel powerless when something looks wrong," CEO Omar Arnaout said. "We wanted to give our clients a way to take back control in seconds."
XTB's “Hack” Looms in the Background
The new feature follows months of public pressure over the firm's account security. Last year, a Polish client alleged losing roughly 150,000 zlotys ($38,000) in what appeared to be a sophisticated breach, describing how an attacker executed thousands of rapid trades on low-liquidity securities to drain a portfolio without ever triggering a direct withdrawal.
- Women Open Investment Accounts with 50% Larger First Deposits Than Men, XTB Data Shows
- Following eToro, XTB Adds Cash ISA With 6% Introductory Rate as Fintech Chase UK Savers
- XTB CEO Calls Indonesia "a Country With a Question Mark" That Must "Prove Itself" in Six Months
The case spread quickly across local financial forums and prompted XTB to tighten security protocols and make two-factor authentication mandatory, moves that only came after the story reached national media.
The fallout was immediate. XTB pledged to reimburse all clients who suffered losses from cyberattacks, while insisting the total payout would not materially affect its finances. The company's own data showed that cybercriminal attacks hit just 0.017% of its client base and that every affected account had been left without 2FA at the time of the breach.
How the Lock Works
The sequence is straightforward. A client who notices an unfamiliar login or an unexpected transaction can hit a single button, cutting off all trades, withdrawals, and card payments at once. Restoring access requires both a password reset and a facial scan, which XTB says guarantees only the legitimate account holder can unlock the platform.
The coverage extends to eWallet transactions, a detail that matters more now than it might have a year ago. XTB has been pushing hard to evolve beyond CFD trading, with Arnaout previously saying he wants spot crypto to reduce CFD revenue dominance from 95% to around 70%.
As the platform increasingly handles multi-currency payments, ATM withdrawals, and eWallet activity, the stakes attached to account-level security rise with it.
Retail Broker Security Under the Microscope
The alleged hack last year reignited a broader industry debate about whether optional security measures are sufficient for platforms holding retail investors' funds. Cybersecurity experts argued that 2FA should be mandatory across the board, not buried in settings that many users never touch. Other major brokerages, including Robinhood, were found at the time to rely on optional 2FA as well, pointing to a gap that ran across the industry.
XTB, which holds licenses from the FCA, CySEC, and Poland's Financial Supervisory Authority, now serves more than 2.1 million clients across 17 global offices. Arnaout had signaled for some time that the firm saw no ceiling on its path to two million annual clients, and the company has been extending its footprint into new geographies to reach that target, with Arnaout recently describing Indonesia as a market with a question mark that must prove itself within six months.
