Retail
investment app XTB announced it will reimburse all clients who lost money to
cybercriminals, following an alleged hacking scheme where a Polish client
publicly claimed to have lost approximately 150,000 zlotys ($38,000).
The publicly
listed company (WSE: XTB) also states that the refund will not affect its
financial results and announces plans to implement additional security measures
in the coming months.
Client Losses Affect Small
Fraction of XTB Users
XTB’s
internal data shows cybercriminal attacks affected just 0.017% of its client
base. The company said none of the affected clients had activated two-factor
authentication (2FA) at the time of the incidents, highlighting the importance
of additional security measures.
The
Warsaw-based broker expects the total compensation amount won’t materially
impact its financial results, though it didn’t specify the exact figure
involved. XTB plans to contact affected clients directly in the coming weeks to
arrange payments .
“Our
strategy is to offer the best investment application for managing investments
both passively and actively,” CEO Omar Arnaout said. “We want our
clients to be confident that they can safely invest in the XTB app with
long-term goals or additional retirement in mind.”
The move
comes after XTB released preliminary financial results for Q2, reporting
the acquisition of 361,000 new clients and a net profit of PLN 2.165
billion, compared to the analysts’ consensus of PLN 230–240 million.
Security Overhaul
Following Media Attention
The
announcement follows mounting pressure after the alleged victim’s story gained
traction across local financial forums and media outlets. The client described
how hackers executed
simultaneous buy-sell transactions on low-liquidity securities, with his
account consistently losing money while the attacker’s separate account
profited. The case prompted scrutiny of the platform’s security measures and
client protection policies.
XTB stock
fell more than 6% on the Monday following the initial media reports, marking
its sharpest single-day decline of the year before recovering nearly 3% the
following day.
The
platform claims, however, it has significantly increased its cybersecurity
investments, with the security department budget jumping 48% in 2024 compared
to the previous year. Arnaout said those investments will continue growing in
coming years.
Mandatory Two-Factor
Authentication Rollout
XTB
introduced two-factor authentication options starting in 2024, initially
through SMS verification. In July, after the alleged hack, the
company added support for time-based one-time passwords through apps like
Google Authenticator and Microsoft Authenticator.
The company
is now completing mandatory 2FA rollout for Polish users and plans to extend
the requirement to clients in the Czech Republic and Spain in the coming weeks.
Other European branches will follow, with automatic activation planned for all
new accounts starting in the fourth quarter.
Currently,
only about 10% of XTB customers use two-factor authentication, according to
company data.
Broader Industry Security
Challenges
The
reimbursement program addresses growing concerns as financial services
companies across Europe face rising cyber threats. A European Central Bank
report highlighted the financial sector as particularly vulnerable to attacks
involving unauthorized account access and data theft.
According
to XTB, additional security features in development include the ability to
instantly log out of all sessions and block accounts directly from the mobile
app, plus enhanced monitoring of user behavior patterns.
“We
understand that the financial industry must stand out with the highest
standards of security and trust,” Arnaout said. “After all,
institutions like XTB are where clients’ money works.”
The company
cited broader cybersecurity challenges facing financial technology firms,
noting that Poland recorded 103,449 unique security incidents in 2024, a 29%
increase from the previous year.
Retail
investment app XTB announced it will reimburse all clients who lost money to
cybercriminals, following an alleged hacking scheme where a Polish client
publicly claimed to have lost approximately 150,000 zlotys ($38,000).
The publicly
listed company (WSE: XTB) also states that the refund will not affect its
financial results and announces plans to implement additional security measures
in the coming months.
Client Losses Affect Small
Fraction of XTB Users
XTB’s
internal data shows cybercriminal attacks affected just 0.017% of its client
base. The company said none of the affected clients had activated two-factor
authentication (2FA) at the time of the incidents, highlighting the importance
of additional security measures.
The
Warsaw-based broker expects the total compensation amount won’t materially
impact its financial results, though it didn’t specify the exact figure
involved. XTB plans to contact affected clients directly in the coming weeks to
arrange payments .
“Our
strategy is to offer the best investment application for managing investments
both passively and actively,” CEO Omar Arnaout said. “We want our
clients to be confident that they can safely invest in the XTB app with
long-term goals or additional retirement in mind.”
The move
comes after XTB released preliminary financial results for Q2, reporting
the acquisition of 361,000 new clients and a net profit of PLN 2.165
billion, compared to the analysts’ consensus of PLN 230–240 million.
Security Overhaul
Following Media Attention
The
announcement follows mounting pressure after the alleged victim’s story gained
traction across local financial forums and media outlets. The client described
how hackers executed
simultaneous buy-sell transactions on low-liquidity securities, with his
account consistently losing money while the attacker’s separate account
profited. The case prompted scrutiny of the platform’s security measures and
client protection policies.
XTB stock
fell more than 6% on the Monday following the initial media reports, marking
its sharpest single-day decline of the year before recovering nearly 3% the
following day.
The
platform claims, however, it has significantly increased its cybersecurity
investments, with the security department budget jumping 48% in 2024 compared
to the previous year. Arnaout said those investments will continue growing in
coming years.
Mandatory Two-Factor
Authentication Rollout
XTB
introduced two-factor authentication options starting in 2024, initially
through SMS verification. In July, after the alleged hack, the
company added support for time-based one-time passwords through apps like
Google Authenticator and Microsoft Authenticator.
The company
is now completing mandatory 2FA rollout for Polish users and plans to extend
the requirement to clients in the Czech Republic and Spain in the coming weeks.
Other European branches will follow, with automatic activation planned for all
new accounts starting in the fourth quarter.
Currently,
only about 10% of XTB customers use two-factor authentication, according to
company data.
Broader Industry Security
Challenges
The
reimbursement program addresses growing concerns as financial services
companies across Europe face rising cyber threats. A European Central Bank
report highlighted the financial sector as particularly vulnerable to attacks
involving unauthorized account access and data theft.
According
to XTB, additional security features in development include the ability to
instantly log out of all sessions and block accounts directly from the mobile
app, plus enhanced monitoring of user behavior patterns.
“We
understand that the financial industry must stand out with the highest
standards of security and trust,” Arnaout said. “After all,
institutions like XTB are where clients’ money works.”
The company
cited broader cybersecurity challenges facing financial technology firms,
noting that Poland recorded 103,449 unique security incidents in 2024, a 29%
increase from the previous year.
This post is originally published on FINANCEMAGNATES.
