The recent
XTB security breach that allegedly cost a Polish client approximately 150,000
zlotys ($38,000) has ignited a fierce debate about whether optional
security measures are sufficient for CFD brokers and retail trading
platforms in 2025.
Following
the incident, where hackers reportedly executed thousands of rapid trades to
drain a client’s account, cybersecurity experts are calling for fundamental
changes to how financial companies protect client assets.
As it turns
out, the XTB case is not isolated, and when it comes to retail trading
companies, the saying “you can bank on it” doesn’t always hold true.
The Anatomy of a Modern
Financial Hack
Rather than
attempting direct fund transfers, which can only be executed on a verified
account, hackers opened simultaneous buy-sell transactions on low-liquidity
securities, consistently profiting on one side while draining the victim’s XTB account
on the other. The client had not enabled two-factor authentication (2FA),
a detail that has become central to the broader security debate.

“2FA
isn’t just recommended, it’s a must. Even the strongest password is still a
single point of failure. A simple password combined with enforced 2FA is far
safer than forcing users into complex ones they’ll end up writing down,”
commented Mate Ivanszky, Founder & CEO of Matworks.
What makes
this case particularly concerning is the apparent lack of automated fraud
detection. The attack exhibited multiple red flags that should have triggered
immediate security responses: an unfamiliar IP address, extraordinarily high
trading volumes, and behavior completely outside the client’s historical
patterns.
If a trader
typically performs two or three operations per month and suddenly executes
hundreds in a single day, the system should catch that. XTB, however, takes a
different view, citing the specific nature of the market as its explanation.
“Due to the
nature of the market and the speed at which investment decisions are made, we
do not apply automatic restrictions based on changes in investor preferences, such
as the initiation of trading in different instruments,” XTB’s PR department explained.
Shareholders seemed to have a different opinion, as XTB shares fell by over 6% that same day, testing three-month lows.
Expert
Consensus:
Optional Security is No Longer Acceptable

Jon
Bellard, Head of Product at Rootshell Security, argues that the incident
exposes fundamental gaps in modern fintech security. “While the user not enabling 2FA is a
clear risk factor, platforms like XTB carry a responsibility to protect users
even when they make mistakes,” he states. “In 2025, it’s not enough to offer
2FA, it should be mandatory, particularly for high-risk platforms.”
And while 2FA
might seem like a legal requirement today, XTB explains that this is not always
the case: “PSD2 regulations and payment services laws apply to companies
providing payment services, not brokerage firms like XTB. Therefore, these
regulations only apply to our eWallet payment service provided by DiPocket,
where we implemented strong authentication in August 2024.”
This
highlights that brokerage activities do not face the same mandatory security
requirements as traditional banking services, even though they involve similar
financial risks.
However, in
an interview with FinanceMagnates.com, XTB’s CEO noted that 80% of the
company’s new clients invest in stocks and ETFs rather than CFDs. He also
reiterated XTB’s ambition to become an “all-in-one financial super app.” Given
this shift toward more bank-like services, shouldn’t the company prioritize
stronger security measures?
A Mixed Picture of Industry
Standard
While XTB’s
approach appears questionable, it seems that CFD broker and retail trading
apps security standards across the industry remain inconsistent. The reality is
that many don’t implement significantly more security measures than XTB’s
original setup, suggesting this is an industry-wide challenge rather than an
isolated problem.
FinanceMagnates.com
has verified that Robinhood also offers only optional 2FA. While Plus500 does
require 2FA, when it comes to additional protections, such as IP blocking or
geo-restrictions, these are generally lacking. Whether it’s a large publicly
listed broker or a fintech focused on retail trading, most rely on fraud
detection systems, login alerts, and manual reviews.

“Security
cannot be a user’s responsibility when entrusted with client money,” commented
Marijus Breidis, the CTO at NordVPN. “Behavioral risk detection should be
enabled by default, not buried in settings menus. Platforms prioritize
convenience over fundamental security and then blame their customers when the
inevitable happens. That approach is irresponsible and completely surrenders
their duty to protect client assets.”
Ivanszky agrees with his statement, adding that regulated financial institutions have a clear and enforceable duty to safeguard client funds. “This responsibility
begins with ensuring that access to client accounts is properly authenticated,
and continues through every transaction that could affect the security or
disposition of those funds.”
XTB Does Not Confirm
Incident, but Increases Security Measures
XTB neither
confirms nor denies that such an incident occurred, but emphasizes that no
similar breach has ever taken place involving clients with 2FA enabled.
Moreover, following
the public outcry, XTB may end up being more secure than industry standard. The
company’s press office outlined its current approach: “In recent weeks, we
have significantly simplified and expanded 2FA. Extended testing has already
been completed, and as of July 14, clients will have two options: SMS codes or
an authenticator app.”
The firm will also begin automatically enabling 2FA for existing clients, and
starting in Q4 2025, all new users will be required to activate it. The company
has also introduced additional monitoring systems.
“We
continuously monitor information about password leaks published online and
cross-check them with our database. If a match is found, we notify clients to
change their password,” the spokesperson said. “We have also built
and continue to expand our internal database of suspicious IP addresses, logins
from such locations trigger enhanced security protocols.”
The recent
XTB security breach that allegedly cost a Polish client approximately 150,000
zlotys ($38,000) has ignited a fierce debate about whether optional
security measures are sufficient for CFD brokers and retail trading
platforms in 2025.
Following
the incident, where hackers reportedly executed thousands of rapid trades to
drain a client’s account, cybersecurity experts are calling for fundamental
changes to how financial companies protect client assets.
As it turns
out, the XTB case is not isolated, and when it comes to retail trading
companies, the saying “you can bank on it” doesn’t always hold true.
The Anatomy of a Modern
Financial Hack
Rather than
attempting direct fund transfers, which can only be executed on a verified
account, hackers opened simultaneous buy-sell transactions on low-liquidity
securities, consistently profiting on one side while draining the victim’s XTB account
on the other. The client had not enabled two-factor authentication (2FA),
a detail that has become central to the broader security debate.

“2FA
isn’t just recommended, it’s a must. Even the strongest password is still a
single point of failure. A simple password combined with enforced 2FA is far
safer than forcing users into complex ones they’ll end up writing down,”
commented Mate Ivanszky, Founder & CEO of Matworks.
What makes
this case particularly concerning is the apparent lack of automated fraud
detection. The attack exhibited multiple red flags that should have triggered
immediate security responses: an unfamiliar IP address, extraordinarily high
trading volumes, and behavior completely outside the client’s historical
patterns.
If a trader
typically performs two or three operations per month and suddenly executes
hundreds in a single day, the system should catch that. XTB, however, takes a
different view, citing the specific nature of the market as its explanation.
“Due to the
nature of the market and the speed at which investment decisions are made, we
do not apply automatic restrictions based on changes in investor preferences, such
as the initiation of trading in different instruments,” XTB’s PR department explained.
Shareholders seemed to have a different opinion, as XTB shares fell by over 6% that same day, testing three-month lows.
Expert
Consensus:
Optional Security is No Longer Acceptable

Jon
Bellard, Head of Product at Rootshell Security, argues that the incident
exposes fundamental gaps in modern fintech security. “While the user not enabling 2FA is a
clear risk factor, platforms like XTB carry a responsibility to protect users
even when they make mistakes,” he states. “In 2025, it’s not enough to offer
2FA, it should be mandatory, particularly for high-risk platforms.”
And while 2FA
might seem like a legal requirement today, XTB explains that this is not always
the case: “PSD2 regulations and payment services laws apply to companies
providing payment services, not brokerage firms like XTB. Therefore, these
regulations only apply to our eWallet payment service provided by DiPocket,
where we implemented strong authentication in August 2024.”
This
highlights that brokerage activities do not face the same mandatory security
requirements as traditional banking services, even though they involve similar
financial risks.
However, in
an interview with FinanceMagnates.com, XTB’s CEO noted that 80% of the
company’s new clients invest in stocks and ETFs rather than CFDs. He also
reiterated XTB’s ambition to become an “all-in-one financial super app.” Given
this shift toward more bank-like services, shouldn’t the company prioritize
stronger security measures?
A Mixed Picture of Industry
Standard
While XTB’s
approach appears questionable, it seems that CFD broker and retail trading
apps security standards across the industry remain inconsistent. The reality is
that many don’t implement significantly more security measures than XTB’s
original setup, suggesting this is an industry-wide challenge rather than an
isolated problem.
FinanceMagnates.com
has verified that Robinhood also offers only optional 2FA. While Plus500 does
require 2FA, when it comes to additional protections, such as IP blocking or
geo-restrictions, these are generally lacking. Whether it’s a large publicly
listed broker or a fintech focused on retail trading, most rely on fraud
detection systems, login alerts, and manual reviews.

“Security
cannot be a user’s responsibility when entrusted with client money,” commented
Marijus Breidis, the CTO at NordVPN. “Behavioral risk detection should be
enabled by default, not buried in settings menus. Platforms prioritize
convenience over fundamental security and then blame their customers when the
inevitable happens. That approach is irresponsible and completely surrenders
their duty to protect client assets.”
Ivanszky agrees with his statement, adding that regulated financial institutions have a clear and enforceable duty to safeguard client funds. “This responsibility
begins with ensuring that access to client accounts is properly authenticated,
and continues through every transaction that could affect the security or
disposition of those funds.”
XTB Does Not Confirm
Incident, but Increases Security Measures
XTB neither
confirms nor denies that such an incident occurred, but emphasizes that no
similar breach has ever taken place involving clients with 2FA enabled.
Moreover, following
the public outcry, XTB may end up being more secure than industry standard. The
company’s press office outlined its current approach: “In recent weeks, we
have significantly simplified and expanded 2FA. Extended testing has already
been completed, and as of July 14, clients will have two options: SMS codes or
an authenticator app.”
The firm will also begin automatically enabling 2FA for existing clients, and
starting in Q4 2025, all new users will be required to activate it. The company
has also introduced additional monitoring systems.
“We
continuously monitor information about password leaks published online and
cross-check them with our database. If a match is found, we notify clients to
change their password,” the spokesperson said. “We have also built
and continue to expand our internal database of suspicious IP addresses, logins
from such locations trigger enhanced security protocols.”
This post is originally published on FINANCEMAGNATES.