Retail investment app XTB announced it will reimburse all clients who lost money to cybercriminals, following an alleged hacking scheme where a Polish client publicly claimed to have lost approximately 150,000 zlotys ($38,000).

The publicly listed company (WSE: XTB) also states that the refund will not affect its financial results and announces plans to implement additional security measures in the coming months.

Client Losses Affect Small Fraction of XTB Users

XTB's internal data shows cybercriminal attacks affected just 0.017% of its client base. The company said none of the affected clients had activated two-factor authentication (2FA) at the time of the incidents, highlighting the importance of additional security measures.

The Warsaw-based broker expects the total compensation amount won't materially impact its financial results, though it didn't specify the exact figure involved. XTB plans to contact affected clients directly in the coming weeks to arrange payments .

"Our strategy is to offer the best investment application for managing investments both passively and actively," CEO Omar Arnaout said. "We want our clients to be confident that they can safely invest in the XTB app with long-term goals or additional retirement in mind."

The move comes after XTB released preliminary financial results for Q2, reporting the acquisition of 361,000 new clients and a net profit of PLN 2.165 billion, compared to the analysts’ consensus of PLN 230–240 million.

Security Overhaul Following Media Attention

The announcement follows mounting pressure after the alleged victim's story gained traction across local financial forums and media outlets. The client described how hackers executed simultaneous buy-sell transactions on low-liquidity securities, with his account consistently losing money while the attacker's separate account profited. The case prompted scrutiny of the platform's security measures and client protection policies.

XTB stock fell more than 6% on the Monday following the initial media reports, marking its sharpest single-day decline of the year before recovering nearly 3% the following day.

The platform claims, however, it has significantly increased its cybersecurity investments, with the security department budget jumping 48% in 2024 compared to the previous year. Arnaout said those investments will continue growing in coming years.

Mandatory Two-Factor Authentication Rollout

XTB introduced two-factor authentication options starting in 2024, initially through SMS verification. In July, after the alleged hack, the company added support for time-based one-time passwords through apps like Google Authenticator and Microsoft Authenticator.

The company is now completing mandatory 2FA rollout for Polish users and plans to extend the requirement to clients in the Czech Republic and Spain in the coming weeks. Other European branches will follow, with automatic activation planned for all new accounts starting in the fourth quarter.

Currently, only about 10% of XTB customers use two-factor authentication, according to company data.

Broader Industry Security Challenges

The reimbursement program addresses growing concerns as financial services companies across Europe face rising cyber threats. A European Central Bank report highlighted the financial sector as particularly vulnerable to attacks involving unauthorized account access and data theft.

According to XTB, additional security features in development include the ability to instantly log out of all sessions and block accounts directly from the mobile app, plus enhanced monitoring of user behavior patterns.

"We understand that the financial industry must stand out with the highest standards of security and trust," Arnaout said. "After all, institutions like XTB are where clients' money works."

The company cited broader cybersecurity challenges facing financial technology firms, noting that Poland recorded 103,449 unique security incidents in 2024, a 29% increase from the previous year.