Financial and Business News

XTB Tightens Security, Mandates 2FA After Alleged Client Hack Results in 150K Loss

Tuesday, 08/07/2025 | 13:39 GMT by Damian Chmiel
  • The trader reportedly lost 75% of his account through hundreds of suspicious transactions executed by a third party.
  • The fintech stated that it is investigating the situation and is responding by enhancing its security measures.
XTB Headquarter in Warsaw, Poland
XTB Headquarter in Warsaw, Poland

Polish online broker XTB is implementing stronger security protocols after a client publicly claimed losing approximately 150,000 Polish zloty ($38,000) in what appears to be a sophisticated hacking scheme that might have affected at least a few investors across Central Europe.

XTB Faces Security Scrutiny After Client Loses $38,000 in Alleged Hack

The controversy erupted over the weekend when a five-year XTB client shared a detailed post on social media describing how hackers allegedly drained his account through thousands of rapid-fire trades on obscure financial instruments (including nano-caps companies like Spruce Power). The client, who had built his portfolio to nearly 200,000 zlotys, discovered 75% of his funds had vanished in what he described as "programmed slaughter" of his holdings.

A portion of the statement shared by the alleged victim shows hundreds of unusual transactions
A portion of the statement shared by the alleged victim shows hundreds of unusual transactions

The alleged hacker's method was particularly clever. Rather than attempting direct withdrawals, which XTB restricts to verified customer bank accounts, the attacker reportedly executed simultaneous buy-sell transactions on low-liquidity securities. The victim's account consistently lost money on each trade while the hacker's separate account profited from the other side of the transactions.

"Everything was sold in minutes: even long-held stocks, ETFs, securities that hadn't been touched for years," the client wrote in his viral post.

Should Clients Protect Themselves, or Do Firms Share the Responsibility?

It is worth noting, the client had not enabled two-factor authentication (2FA), which the broker introduced as an optional security feature in September last year. However, the action prompted a swift response from the fintech . Hours after the client's story gained traction across local financial forums and media outlets, the broker announced plans to enhance its two-factor authentication system and make it mandatory for all users.

Adam Dubiel, Chief Product & Technology Officer at XTB
Adam Dubiel, Chief Product & Technology Officer at XTB

"Security of XTB client funds is our highest priority," said Adam Dubiel, Chief Product & Technology Officer at XTB. "We have taken action in three areas: further improvement and development of two-factor authentication methods, mandatory securing of client accounts through 2FA, and active communication and education in the field of security."

The controversy also boosted uncertainty around the company’s stock (WSE: XTB), which fell more than 6% on Monday, testing the April lows and marking its sharpest single-day decline of the year. On Tuesday, July 8, 2025, however, XTB shares rebounded by nearly 3%, climbing back toward 72 zł.

Potential Security Gaps Exposed

The victim claims that when he contacted customer support, he allegedly received what he described as a dismissive response: "I get calls like yours all day, every day. Nothing can be done."

According to the client, his complaints filed with XTB were rejected twice, with the company citing terms of service that place responsibility for password security on the customers.

"Different passwords, different computers, different phones, different security measures. One common denominator, XTB account and complete lack of platform responsibility," the client wrote.

FinanceMagnates.com found several stories on social media, including Facebook and X, from traders who claim they were scammed in a similar way. The oldest example found dates back to April 5 and involves a similar situation described by a Romanian trader.

Source: Facebook
Source: Facebook

The alleged victim we spoke with stated that he would provide contact details for other affected individuals but had not done so by the time of publication.

XTB Responds with Security Overhaul

In response to the mounting criticism, XTB announced several security enhancements. Starting July 14, customers will be able to use Time-based One-Time Password (TOTP) authentication through apps like Google Authenticator, moving beyond the current SMS-based system.

“As a leader in the investment industry, we are fully aware that cybersecurity issues are among the greatest challenges in today’s financial world and affect the entire financial sector,” XTB commented in a statement sent to FinanceMagnates.com. “As for the post on one of the online forums, we are currently verifying the information presented there. At the same time, we remind our clients that official complaint procedures are available. Each case is analyzed individually based on applicable laws and our internal procedures.”

The broker revealed that only about 10% of its customers currently use two-factor authentication. XTB plans to begin automatically enabling 2FA for existing customers in the second half of July, with all new accounts requiring it by the fourth quarter of 2025.

The company also cited broader cybersecurity challenges facing financial technology firms, noting that Poland recorded 103,449 unique security incidents in 2024, a 29% increase from the previous year.

Industry Expert Weighs In

Michał Masłowski, Vice President of the Poland’s Individual Investors Association
Michał Masłowski, Vice President of the Poland’s Individual Investors Association

Michał Masłowski, Vice President of the Poland’s Individual Investors Association, emphasized that both financial institutions and clients must collaborate to combat hacking attempts.

"Such 'details' as 2FA, double authentication using either SMS passwords or one-time passwords from applications like Google Authenticator, are simply mandatory when logging into any accounts where we have even small amounts," Masłowski said.

Samołyk from Inwestomat.eu
Samołyk from Inwestomat.eu

According to Mateusz Samołyk from Inwestomat.eu, one of the individuals who helped bring the case to public attention in Polish media, the broker should implement several key safeguards:

Mandatory two-factor authentication with no option for users to disable it and real-time monitoring of suspicious activity, such as sudden spikes in trading volume, from a few monthly trades to hundreds in rapid succession. New device and location verification, requiring confirmation via email or phone for logins from unfamiliar IP addresses or geographic regions and instant login alerts sent by email and SMS whenever an account is accessed from a new device.

"All 4 account security methods I have already suggested to XTB and I will be waiting for developments,” Samołyk commented on X.

XTB has not indicated whether it will compensate affected customers or take additional steps to assist ongoing police investigations into the alleged hacking scheme.

Polish online broker XTB is implementing stronger security protocols after a client publicly claimed losing approximately 150,000 Polish zloty ($38,000) in what appears to be a sophisticated hacking scheme that might have affected at least a few investors across Central Europe.

XTB Faces Security Scrutiny After Client Loses $38,000 in Alleged Hack

The controversy erupted over the weekend when a five-year XTB client shared a detailed post on social media describing how hackers allegedly drained his account through thousands of rapid-fire trades on obscure financial instruments (including nano-caps companies like Spruce Power). The client, who had built his portfolio to nearly 200,000 zlotys, discovered 75% of his funds had vanished in what he described as "programmed slaughter" of his holdings.

A portion of the statement shared by the alleged victim shows hundreds of unusual transactions
A portion of the statement shared by the alleged victim shows hundreds of unusual transactions

The alleged hacker's method was particularly clever. Rather than attempting direct withdrawals, which XTB restricts to verified customer bank accounts, the attacker reportedly executed simultaneous buy-sell transactions on low-liquidity securities. The victim's account consistently lost money on each trade while the hacker's separate account profited from the other side of the transactions.

"Everything was sold in minutes: even long-held stocks, ETFs, securities that hadn't been touched for years," the client wrote in his viral post.

Should Clients Protect Themselves, or Do Firms Share the Responsibility?

It is worth noting, the client had not enabled two-factor authentication (2FA), which the broker introduced as an optional security feature in September last year. However, the action prompted a swift response from the fintech . Hours after the client's story gained traction across local financial forums and media outlets, the broker announced plans to enhance its two-factor authentication system and make it mandatory for all users.

Adam Dubiel, Chief Product & Technology Officer at XTB
Adam Dubiel, Chief Product & Technology Officer at XTB

"Security of XTB client funds is our highest priority," said Adam Dubiel, Chief Product & Technology Officer at XTB. "We have taken action in three areas: further improvement and development of two-factor authentication methods, mandatory securing of client accounts through 2FA, and active communication and education in the field of security."

The controversy also boosted uncertainty around the company’s stock (WSE: XTB), which fell more than 6% on Monday, testing the April lows and marking its sharpest single-day decline of the year. On Tuesday, July 8, 2025, however, XTB shares rebounded by nearly 3%, climbing back toward 72 zł.

Potential Security Gaps Exposed

The victim claims that when he contacted customer support, he allegedly received what he described as a dismissive response: "I get calls like yours all day, every day. Nothing can be done."

According to the client, his complaints filed with XTB were rejected twice, with the company citing terms of service that place responsibility for password security on the customers.

"Different passwords, different computers, different phones, different security measures. One common denominator, XTB account and complete lack of platform responsibility," the client wrote.

FinanceMagnates.com found several stories on social media, including Facebook and X, from traders who claim they were scammed in a similar way. The oldest example found dates back to April 5 and involves a similar situation described by a Romanian trader.

Source: Facebook
Source: Facebook

The alleged victim we spoke with stated that he would provide contact details for other affected individuals but had not done so by the time of publication.

XTB Responds with Security Overhaul

In response to the mounting criticism, XTB announced several security enhancements. Starting July 14, customers will be able to use Time-based One-Time Password (TOTP) authentication through apps like Google Authenticator, moving beyond the current SMS-based system.

“As a leader in the investment industry, we are fully aware that cybersecurity issues are among the greatest challenges in today’s financial world and affect the entire financial sector,” XTB commented in a statement sent to FinanceMagnates.com. “As for the post on one of the online forums, we are currently verifying the information presented there. At the same time, we remind our clients that official complaint procedures are available. Each case is analyzed individually based on applicable laws and our internal procedures.”

The broker revealed that only about 10% of its customers currently use two-factor authentication. XTB plans to begin automatically enabling 2FA for existing customers in the second half of July, with all new accounts requiring it by the fourth quarter of 2025.

The company also cited broader cybersecurity challenges facing financial technology firms, noting that Poland recorded 103,449 unique security incidents in 2024, a 29% increase from the previous year.

Industry Expert Weighs In

Michał Masłowski, Vice President of the Poland’s Individual Investors Association
Michał Masłowski, Vice President of the Poland’s Individual Investors Association

Michał Masłowski, Vice President of the Poland’s Individual Investors Association, emphasized that both financial institutions and clients must collaborate to combat hacking attempts.

"Such 'details' as 2FA, double authentication using either SMS passwords or one-time passwords from applications like Google Authenticator, are simply mandatory when logging into any accounts where we have even small amounts," Masłowski said.

Samołyk from Inwestomat.eu
Samołyk from Inwestomat.eu

According to Mateusz Samołyk from Inwestomat.eu, one of the individuals who helped bring the case to public attention in Polish media, the broker should implement several key safeguards:

Mandatory two-factor authentication with no option for users to disable it and real-time monitoring of suspicious activity, such as sudden spikes in trading volume, from a few monthly trades to hundreds in rapid succession. New device and location verification, requiring confirmation via email or phone for logins from unfamiliar IP addresses or geographic regions and instant login alerts sent by email and SMS whenever an account is accessed from a new device.

"All 4 account security methods I have already suggested to XTB and I will be waiting for developments,” Samołyk commented on X.

XTB has not indicated whether it will compensate affected customers or take additional steps to assist ongoing police investigations into the alleged hacking scheme.

Topics
xtb
About the Author: Damian Chmiel
Damian Chmiel
  • 3104 Articles
  • 96 Followers
Damian's adventure with financial markets began at the Cracow University of Economics, where he obtained his MA in finance and accounting. Starting from the retail trader perspective, he collaborated with brokerage houses and financial portals in Poland as an independent editor and content manager. His adventure with Finance Magnates began in 2016, where he is working as a business intelligence analyst.

More from the Author

Retail FX

Executive Interview | Drew Niv | Chief Strategy Officer, ATFX Connect | FMLS:25

Executive Interview | Drew Niv | Chief Strategy Officer, ATFX Connect | FMLS:25

In this conversation, we sit down with Drew Niv, CSO at ATFX Connect and one of the most influential figures in modern FX. We speak about market structure, the institutional view on liquidity, and the sharp rise of prop trading, a sector Drew has been commenting on in recent months. Drew explains why he once dismissed prop trading, why his view changed, and what he now thinks the model means for brokers, clients and risk managers. We explore subscription-fee dependency, the high reneging rate, and the long-term challenge: how brokers can build a more stable and honest version of the model. Drew also talks about the traffic advantage standalone prop firms have built and why brokers may still win in the long run if they take the right approach.

In this conversation, we sit down with Drew Niv, CSO at ATFX Connect and one of the most influential figures in modern FX. We speak about market structure, the institutional view on liquidity, and the sharp rise of prop trading, a sector Drew has been commenting on in recent months. Drew explains why he once dismissed prop trading, why his view changed, and what he now thinks the model means for brokers, clients and risk managers. We explore subscription-fee dependency, the high reneging rate, and the long-term challenge: how brokers can build a more stable and honest version of the model. Drew also talks about the traffic advantage standalone prop firms have built and why brokers may still win in the long run if they take the right approach.
More Videos

  • Executive Interview | Remonda Z. Kirketerp Møller| CEO & Founder Muinmos | FMLS:25

    Executive Interview | Remonda Z. Kirketerp Møller| CEO & Founder Muinmos | FMLS:25

    In this interview, Remonda Z. Kirketerp Møller, founder of Muinmos, breaks down the state of AI in regtech and what responsible adoption really looks like for brokers. We talk about rising fragmentation, the pressures around compliance accuracy, and why most firms are still in the early stages of AI maturity. Ramanda also shares insights on regulator sandboxes, shifting expectations around accountability, and the current reality of MiCA licensing and passporting in Europe. A concise look at where compliance, onboarding, and AI-driven processes are heading next.

    In this interview, Remonda Z. Kirketerp Møller, founder of Muinmos, breaks down the state of AI in regtech and what responsible adoption really looks like for brokers. We talk about rising fragmentation, the pressures around compliance accuracy, and why most firms are still in the early stages of AI maturity. Ramanda also shares insights on regulator sandboxes, shifting expectations around accountability, and the current reality of MiCA licensing and passporting in Europe. A concise look at where compliance, onboarding, and AI-driven processes are heading next.

  • Executive Interview | Aydin Bonabi | Founder, Surveill | FMLS:25

    Executive Interview | Aydin Bonabi | Founder, Surveill | FMLS:25

    In this conversation, we speak with Aydin Bonabi, CEO and co-founder of Surveill, a firm focused on fraud detection and AI-driven compliance tools for financial institutions. We start with Aydin’s view of the Summit and the challenges brokers face as fraud tactics grow more complex. He explains how firms can stay ahead through real-time signals, data patterns, and early-stage detection. We also talk about AI training and why compliance teams often struggle to keep models accurate, fair, and aligned with regulatory expectations. Aydin breaks down what “good” AI training looks like inside a financial environment, including the importance of clean data, domain expertise, and human oversight. He closes with a clear message: fraud is scaling, and so must the tools that stop it.

    In this conversation, we speak with Aydin Bonabi, CEO and co-founder of Surveill, a firm focused on fraud detection and AI-driven compliance tools for financial institutions. We start with Aydin’s view of the Summit and the challenges brokers face as fraud tactics grow more complex. He explains how firms can stay ahead through real-time signals, data patterns, and early-stage detection. We also talk about AI training and why compliance teams often struggle to keep models accurate, fair, and aligned with regulatory expectations. Aydin breaks down what “good” AI training looks like inside a financial environment, including the importance of clean data, domain expertise, and human oversight. He closes with a clear message: fraud is scaling, and so must the tools that stop it.

  • Exness expands its presence in Africa: Inside our interview with Paul Margarites in Cape Town

    Exness expands its presence in Africa: Inside our interview with Paul Margarites in Cape Town

    Finance Magnates met with Paul Margarites, Exness regional commercial director for Sub-Saharan Africa, during a visit to the firm’s office opening in Cape Town. In this talk, led by Andrea Badiola Mateos, Co-CEO at Finance Magnates, Paul shares views on the South African trading space, local user behavior, mobile trends, regulation, team growth, and how Exness plans to grow in more markets across the region. @Exness Read the article at: https://www.financemagnates.com/thought-leadership/exness-expands-its-presence-in-africa-inside-our-interview-with-paul-margarites/ #exness #financemagnates #exnesstrading #CFDtrading #tradeonline #africanews #capetown

    Finance Magnates met with Paul Margarites, Exness regional commercial director for Sub-Saharan Africa, during a visit to the firm’s office opening in Cape Town. In this talk, led by Andrea Badiola Mateos, Co-CEO at Finance Magnates, Paul shares views on the South African trading space, local user behavior, mobile trends, regulation, team growth, and how Exness plans to grow in more markets across the region. @Exness Read the article at: https://www.financemagnates.com/thought-leadership/exness-expands-its-presence-in-africa-inside-our-interview-with-paul-margarites/ #exness #financemagnates #exnesstrading #CFDtrading #tradeonline #africanews #capetown

  • Executive Interview | Jas Shah | FMLS:25

    Executive Interview | Jas Shah | FMLS:25

    Interview with Jas Shah Builder | Adviser | Fintech Writer | Product Strategist In this episode, Jonathan Fine sat down with Jas Shah, one of the most thoughtful voices in global fintech. Known for his work across advisory, product, stablecoins, and his widely read writing, Jas brings a rare combination of industry insight and plain-spoken clarity. We talk about his first impression of the Summit, the projects that keep him busy today, and how they connect to the stablecoin panel he joined. Jas shares his view on the link between fintech, wealthtech and retail brokers, especially as firms like Revolut, eToro and Trading212 blur long-standing lines in the market. We also explore what stablecoin adoption might look like for retail investment platforms, including a few product and UX angles that are not obvious at first glance. To close, Jas explains how he thinks about writing, and how he approaches “shipping” pieces that spark debate across the industry.

    Interview with Jas Shah Builder | Adviser | Fintech Writer | Product Strategist In this episode, Jonathan Fine sat down with Jas Shah, one of the most thoughtful voices in global fintech. Known for his work across advisory, product, stablecoins, and his widely read writing, Jas brings a rare combination of industry insight and plain-spoken clarity. We talk about his first impression of the Summit, the projects that keep him busy today, and how they connect to the stablecoin panel he joined. Jas shares his view on the link between fintech, wealthtech and retail brokers, especially as firms like Revolut, eToro and Trading212 blur long-standing lines in the market. We also explore what stablecoin adoption might look like for retail investment platforms, including a few product and UX angles that are not obvious at first glance. To close, Jas explains how he thinks about writing, and how he approaches “shipping” pieces that spark debate across the industry.