XTB Tightens Security, Mandates 2FA After Alleged Client Hack Results in 150K Loss

Polish online broker XTB is implementing stronger security protocols after a client publicly claimed losing approximately 150,000 Polish zloty ($38,000) in what appears to be a sophisticated hacking scheme that might have affected at least a few investors across Central Europe.

XTB Faces Security Scrutiny After Client Loses $38,000 in Alleged Hack

The controversy erupted over the weekend when a five-year XTB client shared a detailed post on social media describing how hackers allegedly drained his account through thousands of rapid-fire trades on obscure financial instruments (including nano-caps companies like Spruce Power). The client, who had built his portfolio to nearly 200,000 zlotys, discovered 75% of his funds had vanished in what he described as "programmed slaughter" of his holdings.

A portion of the statement shared by the alleged victim shows hundreds of unusual transactions

The alleged hacker's method was particularly clever. Rather than attempting direct withdrawals, which XTB restricts to verified customer bank accounts, the attacker reportedly executed simultaneous buy-sell transactions on low-liquidity securities. The victim's account consistently lost money on each trade while the hacker's separate account profited from the other side of the transactions.

"Everything was sold in minutes: even long-held stocks, ETFs, securities that hadn't been touched for years," the client wrote in his viral post.

Should Clients Protect Themselves, or Do Firms Share the Responsibility?

It is worth noting, the client had not enabled two-factor authentication (2FA), which the broker introduced as an optional security feature in September last year. However, the action prompted a swift response from the fintech. Hours after the client's story gained traction across local financial forums and media outlets, the broker announced plans to enhance its two-factor authentication system and make it mandatory for all users.Adam Dubiel, Chief Product & Technology Officer at XTB

"Security of XTB client funds is our highest priority," said Adam Dubiel, Chief Product & Technology Officer at XTB. "We have taken action in three areas: further improvement and development of two-factor authentication methods, mandatory securing of client accounts through 2FA, and active communication and education in the field of security."

The controversy also boosted uncertainty around the company’s stock (WSE: XTB), which fell more than 6% on Monday, testing the April lows and marking its sharpest single-day decline of the year. On Tuesday, July 8, 2025, however, XTB shares rebounded by nearly 3%, climbing back toward 72 zł.

Potential Security Gaps Exposed

The victim claims that when he contacted customer support, he allegedly received what he described as a dismissive response: "I get calls like yours all day, every day. Nothing can be done."

According to the client, his complaints filed with XTB were rejected twice, with the company citing terms of service that place responsibility for password security on the customers.

"Different passwords, different computers, different phones, different security measures. One common denominator, XTB account and complete lack of platform responsibility," the client wrote.

FinanceMagnates.com found several stories on social media, including Facebook and X, from traders who claim they were scammed in a similar way. The oldest example found dates back to April 5 and involves a similar situation described by a Romanian trader.

Source: Facebook

The alleged victim we spoke with stated that he would provide contact details for other affected individuals but had not done so by the time of publication.

XTB Responds with Security Overhaul

In response to the mounting criticism, XTB announced several security enhancements. Starting July 14, customers will be able to use Time-based One-Time Password (TOTP) authentication through apps like Google Authenticator, moving beyond the current SMS-based system.

“As a leader in the investment industry, we are fully aware that cybersecurity issues are among the greatest challenges in today’s financial world and affect the entire financial sector,” XTB commented in a statement sent to FinanceMagnates.com. “As for the post on one of the online forums, we are currently verifying the information presented there. At the same time, we remind our clients that official complaint procedures are available. Each case is analyzed individually based on applicable laws and our internal procedures.”

The broker revealed that only about 10% of its customers currently use two-factor authentication. XTB plans to begin automatically enabling 2FA for existing customers in the second half of July, with all new accounts requiring it by the fourth quarter of 2025.

The company also cited broader cybersecurity challenges facing financial technology firms, noting that Poland recorded 103,449 unique security incidents in 2024, a 29% increase from the previous year.

Industry Expert Weighs In

Michał Masłowski, Vice President of the Poland’s Individual Investors Association

Michał Masłowski, Vice President of the Poland’s Individual Investors Association, emphasized that both financial institutions and clients must collaborate to combat hacking attempts.

"Such 'details' as 2FA, double authentication using either SMS passwords or one-time passwords from applications like Google Authenticator, are simply mandatory when logging into any accounts where we have even small amounts," Masłowski said.Samołyk from Inwestomat.eu

According to Mateusz Samołyk from Inwestomat.eu, one of the individuals who helped bring the case to public attention in Polish media, the broker should implement several key safeguards:

Mandatory two-factor authentication with no option for users to disable it and real-time monitoring of suspicious activity, such as sudden spikes in trading volume, from a few monthly trades to hundreds in rapid succession. New device and location verification, requiring confirmation via email or phone for logins from unfamiliar IP addresses or geographic regions and instant login alerts sent by email and SMS whenever an account is accessed from a new device.

"All 4 account security methods I have already suggested to XTB and I will be waiting for developments,” Samołyk commented on X.

XTB has not indicated whether it will compensate affected customers or take additional steps to assist ongoing police investigations into the alleged hacking scheme.