XTB mandates 2FA after a client claims a $38K loss in an alleged hack involving rapid trades on low-liquidity financial assets.
XTB mandates 2FA after a client claims a $38K loss in an alleged hack involving rapid trades on low-liquidity financial assets.
XTB mandates 2FA after client alleges $38K hack via suspicious trades; broker boosts security amid rising fintech threats.
XTB is tightening its security framework and rolling out mandatory two-factor authentication (2FA) after a client reported losing over 150,000 Polish zloty (approximately $38,000) in a suspected account breach that has raised questions about the platform’s protections and oversight.
A long-time XTB customer sparked controversy by publicly detailing an alleged hack in a viral post, claiming hundreds of suspicious trades on low-liquidity financial instruments, including obscure U.S. nano-cap stocks, emptied his account. Furthermore, the trader, whose account had reportedly reached nearly 200,000 zł, said over 75% of his portfolio vanished in what he described as a “programmed slaughter.”
The user wrote that hackers sold everything within minutes, including long-held stocks and untouched ETFs from previous years.
Unlike direct withdrawals, which XTB restricts to verified bank accounts, the attacker reportedly used paired buy-sell transactions across low-volume securities, allowing another account, allegedly controlled by the hacker, to profit from the victim’s consistent losses.
The post, which quickly gained traction across Polish and Central European investor forums, prompted other users to share similar stories. One Romanian trader described an almost identical pattern dating back to April. Though unverified, these claims have led to growing calls for transparency and reform.
When the victim contacted XTB support, he claims the response was dismissive: “I get calls like yours all day, every day. Nothing can be done.” The company reportedly rejected his complaint twice, citing its terms of service and placing password responsibility on the user.
Within hours of the social media firestorm, XTB announced major changes to its security architecture. The broker will now make 2FA mandatory for all users, with Time-based One-Time Password (TOTP) support, via apps like Google Authenticator, replacing the older SMS-based system. Rollout begins July 14, with enforcement for new users expected by Q4 2025.
“Security of XTB client funds is our highest priority,” said Adam Dubiel, XTB’s Chief Product & Technology Officer. “We are improving 2FA methods, making them mandatory, and increasing our focus on client education.”
According to the company, fewer than 10% of users had voluntarily enabled 2FA prior to this incident.
XTB’s stock (WSE: XTB) reflected investor unease, dropping over 6%, its worst single-day performance this year. However, shares rebounded by nearly 3% the following day.
Cybersecurity professionals and industry experts have weighed in, urging more stringent safeguards across all online financial platforms. Michał Masłowski, Vice President of the Polish Individual Investors Association, emphasized that 2FA is a basic necessity, not a luxury.
“Double authentication is simply mandatory when accessing any investment account,” Masłowski said.
Mateusz Samołyk, founder of financial blog Inwestomat.eu and one of the individuals who helped publicize the case, outlined several recommendations to XTB, including:
“All four of these methods were suggested to XTB,” Samołyk said on X (formerly Twitter). “I’ll be watching the follow-through.”
XTB confirmed it is investigating the client’s complaint and reviewing online forum posts, but the broker has not committed to compensating victims or revealed how many users the incident may have affected. In a statement, XTB highlighted the broader rise in cyber threats, citing over 103,000 unique security incidents reported in Poland last year, a 29% year-over-year increase.
So, the company said it analyzes each case individually based on applicable laws and its internal procedures.
As of publication, the client has not shared contact information for others allegedly affected, though several have come forward on social media.
Whether the incident proves to be an isolated breach or the tip of a larger systemic issue, one thing is clear: investor expectations around digital security are evolving and fast. XTB, like many fintech platforms, is under pressure to respond accordingly.
XTB is a globally famous online brokerage and trading firm. Established in 2002, it became a premier retail Forex and CFD services provider. Operating across numerous countries, XTB is subject to regulation by esteemed financial authorities such as the Financial Conduct Authority (FCA) in the UK and the Polish Financial Supervision Authority (KNF) in Poland. Renowned for its reliability, XTB offers exceptional customer support, an extensive range of forex and CFD options, and an exemplary trading environment.
Discover more in our Complete Review.
275 New North Road Islington London, N1 7AA
402, Block D2 Block D 2 Phase 1 Johar Town, (Operations HQ)
353 Lexington Avenue 4th Floor Suite 400
Tkalska street 1, 1000 Ljubljana, (Registered office)
Copyright © 2025. Shares Brokers Reviews. All Right Reserved.
