XTB Tightens Security, Mandates 2FA After Alleged Client Hack Results in 150K Loss

Polish
online broker XTB is implementing stronger security protocols after a client
publicly claimed losing approximately 150,000 Polish zloty ($38,000) in what
appears to be a sophisticated hacking scheme that might have affected at least
a few investors across Central Europe.

XTB Faces Security
Scrutiny After Client Loses $38,000 in Alleged Hack

The
controversy erupted over the weekend when a five-year XTB client shared a detailed post on social media describing how hackers allegedly drained his
account through thousands
of rapid-fire trades
on obscure financial instruments (including nano-caps
companies like Spruce Power). The client, who had built his portfolio to nearly
200,000 zlotys, discovered 75% of his funds had vanished in what he described as
“programmed slaughter” of his holdings.

A portion of the statement shared by the alleged victim shows hundreds of unusual transactions

The alleged hacker’s method was particularly clever. Rather than attempting direct
withdrawals, which XTB restricts to verified customer bank accounts, the
attacker reportedly executed simultaneous buy-sell transactions on low-liquidity
securities. The victim’s account consistently lost money on each trade while
the hacker’s separate account profited from the other side of the transactions.

“Everything
was sold in minutes: even long-held stocks, ETFs, securities that hadn’t been
touched for years,” the client wrote in his viral post.

Should Clients Protect
Themselves, or Do Firms Share the Responsibility?

It is worth noting, the client had not enabled two-factor
authentication (2FA), which the broker introduced as an optional security
feature in September last year
. However, the action prompted a swift response from the fintech . Hours after the client’s story
gained traction across local financial forums and media outlets, the broker announced plans to
enhance its two-factor authentication system and make it mandatory for all
users.

Adam Dubiel, Chief Product & Technology Officer at XTB

“Security
of XTB client funds is our highest priority,” said Adam Dubiel, Chief
Product & Technology Officer at XTB. “We have taken action in three
areas: further improvement and development of two-factor authentication
methods, mandatory securing of client accounts through 2FA, and active
communication and education in the field of security.”

The
controversy also boosted uncertainty around the company’s stock (WSE: XTB), which
fell more than 6% on Monday
, testing the April lows and marking its
sharpest single-day decline of the year. On Tuesday, July 8, 2025, however, XTB
shares rebounded by nearly 3%, climbing back toward 72 zł.

Potential Security Gaps Exposed

The victim claims that when he contacted customer support, he allegedly received what he
described as a dismissive response: “I get calls like yours all day, every
day. Nothing can be done.”

According to the client, his complaints filed with XTB were rejected twice, with the company citing
terms of service that place responsibility for password security on the
customers.

“Different
passwords, different computers, different phones, different security measures.
One common denominator, XTB account and complete lack of platform
responsibility,” the client wrote.

FinanceMagnates.com
found several
stories on social media
, including Facebook and X, from traders who
claim they were scammed in a similar way
. The oldest example found dates
back to April
5
and involves a similar situation described by a Romanian trader.

Source: Facebook

The
alleged victim we spoke with stated that he would provide contact details for
other affected individuals but had not done so by the time of publication.

XTB Responds with Security
Overhaul

In response
to the mounting criticism, XTB announced several security enhancements.
Starting July 14, customers will be able to use Time-based One-Time Password
(TOTP) authentication through apps like Google Authenticator, moving beyond the
current SMS-based system.

“As a
leader in the investment industry, we are fully aware that cybersecurity issues
are among the greatest challenges in today’s financial world and affect the
entire financial sector,” XTB commented in a statement sent to FinanceMagnates.com. “As for the post on one of the online
forums, we are currently verifying the information presented there. At the same
time, we remind our clients that official complaint procedures are available.
Each case is analyzed individually based on applicable laws and our internal
procedures.”

The broker
revealed that only about 10% of its customers currently use two-factor
authentication. XTB plans to begin automatically enabling 2FA for existing
customers in the second half of July, with all new accounts requiring it by the
fourth quarter of 2025.

The company
also cited broader cybersecurity challenges facing financial technology firms,
noting that Poland recorded 103,449 unique security incidents in 2024, a 29%
increase from the previous year.

Industry Expert Weighs In

Michał Masłowski, Vice President of the Poland’s Individual Investors Association

Michał
Masłowski, Vice President of the Poland’s Individual Investors Association,
emphasized that both financial institutions and clients must collaborate to
combat hacking attempts.

“Such
‘details’ as 2FA, double authentication using either SMS passwords or one-time
passwords from applications like Google Authenticator, are simply mandatory
when logging into any accounts where we have even small amounts,”
Masłowski said.

Samołyk from Inwestomat.eu

According
to Mateusz Samołyk from Inwestomat.eu, one of the individuals who helped bring
the case to public attention in Polish media, the broker should implement
several key safeguards:

Mandatory
two-factor authentication with no option for users to disable it and real-time
monitoring of suspicious activity, such as sudden spikes in trading volume, from
a few monthly trades to hundreds in rapid succession. New device
and location verification, requiring confirmation via email or phone for logins
from unfamiliar IP addresses or geographic regions and instant
login alerts sent by email and SMS whenever an account is accessed from a new
device.

“All 4
account security methods I have already suggested to XTB and I will be waiting
for developments,” Samołyk commented on X.

XTB has not
indicated whether it will compensate affected customers or take additional
steps to assist ongoing police investigations into the alleged hacking scheme.

Polish
online broker XTB is implementing stronger security protocols after a client
publicly claimed losing approximately 150,000 Polish zloty ($38,000) in what
appears to be a sophisticated hacking scheme that might have affected at least
a few investors across Central Europe.

XTB Faces Security
Scrutiny After Client Loses $38,000 in Alleged Hack

The
controversy erupted over the weekend when a five-year XTB client shared a detailed post on social media describing how hackers allegedly drained his
account through thousands
of rapid-fire trades
on obscure financial instruments (including nano-caps
companies like Spruce Power). The client, who had built his portfolio to nearly
200,000 zlotys, discovered 75% of his funds had vanished in what he described as
“programmed slaughter” of his holdings.

A portion of the statement shared by the alleged victim shows hundreds of unusual transactions

The alleged hacker’s method was particularly clever. Rather than attempting direct
withdrawals, which XTB restricts to verified customer bank accounts, the
attacker reportedly executed simultaneous buy-sell transactions on low-liquidity
securities. The victim’s account consistently lost money on each trade while
the hacker’s separate account profited from the other side of the transactions.

“Everything
was sold in minutes: even long-held stocks, ETFs, securities that hadn’t been
touched for years,” the client wrote in his viral post.

Should Clients Protect
Themselves, or Do Firms Share the Responsibility?

It is worth noting, the client had not enabled two-factor
authentication (2FA), which the broker introduced as an optional security
feature in September last year
. However, the action prompted a swift response from the fintech . Hours after the client’s story
gained traction across local financial forums and media outlets, the broker announced plans to
enhance its two-factor authentication system and make it mandatory for all
users.

Adam Dubiel, Chief Product & Technology Officer at XTB

“Security
of XTB client funds is our highest priority,” said Adam Dubiel, Chief
Product & Technology Officer at XTB. “We have taken action in three
areas: further improvement and development of two-factor authentication
methods, mandatory securing of client accounts through 2FA, and active
communication and education in the field of security.”

The
controversy also boosted uncertainty around the company’s stock (WSE: XTB), which
fell more than 6% on Monday
, testing the April lows and marking its
sharpest single-day decline of the year. On Tuesday, July 8, 2025, however, XTB
shares rebounded by nearly 3%, climbing back toward 72 zł.

Potential Security Gaps Exposed

The victim claims that when he contacted customer support, he allegedly received what he
described as a dismissive response: “I get calls like yours all day, every
day. Nothing can be done.”

According to the client, his complaints filed with XTB were rejected twice, with the company citing
terms of service that place responsibility for password security on the
customers.

“Different
passwords, different computers, different phones, different security measures.
One common denominator, XTB account and complete lack of platform
responsibility,” the client wrote.

FinanceMagnates.com
found several
stories on social media
, including Facebook and X, from traders who
claim they were scammed in a similar way
. The oldest example found dates
back to April
5
and involves a similar situation described by a Romanian trader.

Source: Facebook

The
alleged victim we spoke with stated that he would provide contact details for
other affected individuals but had not done so by the time of publication.

XTB Responds with Security
Overhaul

In response
to the mounting criticism, XTB announced several security enhancements.
Starting July 14, customers will be able to use Time-based One-Time Password
(TOTP) authentication through apps like Google Authenticator, moving beyond the
current SMS-based system.

“As a
leader in the investment industry, we are fully aware that cybersecurity issues
are among the greatest challenges in today’s financial world and affect the
entire financial sector,” XTB commented in a statement sent to FinanceMagnates.com. “As for the post on one of the online
forums, we are currently verifying the information presented there. At the same
time, we remind our clients that official complaint procedures are available.
Each case is analyzed individually based on applicable laws and our internal
procedures.”

The broker
revealed that only about 10% of its customers currently use two-factor
authentication. XTB plans to begin automatically enabling 2FA for existing
customers in the second half of July, with all new accounts requiring it by the
fourth quarter of 2025.

The company
also cited broader cybersecurity challenges facing financial technology firms,
noting that Poland recorded 103,449 unique security incidents in 2024, a 29%
increase from the previous year.

Industry Expert Weighs In

Michał Masłowski, Vice President of the Poland’s Individual Investors Association

Michał
Masłowski, Vice President of the Poland’s Individual Investors Association,
emphasized that both financial institutions and clients must collaborate to
combat hacking attempts.

“Such
‘details’ as 2FA, double authentication using either SMS passwords or one-time
passwords from applications like Google Authenticator, are simply mandatory
when logging into any accounts where we have even small amounts,”
Masłowski said.

Samołyk from Inwestomat.eu

According
to Mateusz Samołyk from Inwestomat.eu, one of the individuals who helped bring
the case to public attention in Polish media, the broker should implement
several key safeguards:

Mandatory
two-factor authentication with no option for users to disable it and real-time
monitoring of suspicious activity, such as sudden spikes in trading volume, from
a few monthly trades to hundreds in rapid succession. New device
and location verification, requiring confirmation via email or phone for logins
from unfamiliar IP addresses or geographic regions and instant
login alerts sent by email and SMS whenever an account is accessed from a new
device.

“All 4
account security methods I have already suggested to XTB and I will be waiting
for developments,” Samołyk commented on X.

XTB has not
indicated whether it will compensate affected customers or take additional
steps to assist ongoing police investigations into the alleged hacking scheme.

This post is originally published on FINANCEMAGNATES.

  • Related Posts

    “Top Traders Master One Instrument”: Lessons from BK Trader’s Co-Founder

    Kathy Lian, Co-Founder of BKTraders and author of Prop Trading Secrets, offered a measured assessment of proprietary trading’s development, challenges, and outlook in an interview with Finance Magnates’ Jeff Patterson.…

    More Firms Caught Promoting Investments in WhatsApp Groups, German Watchdog Warns

    The German financial regulator BaFin has launched an investigation into Aurealis Capital and Minexra for allegedly offering unauthorized financial and crypto services through WhatsApp groups aimed at German investors. According…

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    “Top Traders Master One Instrument”: Lessons from BK Trader’s Co-Founder

    • July 22, 2025
    “Top Traders Master One Instrument”: Lessons from BK Trader’s Co-Founder

    What Is Trade De-Dollarization and How Does It Affect Forex?

    • July 22, 2025
    What Is Trade De-Dollarization and How Does It Affect Forex?

    More Firms Caught Promoting Unauthorized Investments in WhatsApp Groups, German Watchdog Warns

    • July 22, 2025
    More Firms Caught Promoting Unauthorized Investments in WhatsApp Groups, German Watchdog Warns

    More Firms Caught Promoting Investments in WhatsApp Groups, German Watchdog Warns

    • July 22, 2025
    More Firms Caught Promoting Investments in WhatsApp Groups, German Watchdog Warns