XTB mandates 2FA after a client claims hackers drained $38K through suspicious trades; broker pledges stronger security.
XTB mandates 2FA after a client claims hackers drained $38K through suspicious trades; broker pledges stronger security.
XTB tightens security and makes 2FA mandatory after a client alleges hackers drained 75% of his account in suspicious trades.
Key Points:
XTB has announced sweeping new security measures, including mandatory two-factor authentication (2FA), following a client’s claim that a sophisticated hack wiped out 75% of his trading account, a loss estimated at around 150,000 Polish zloty ($38,000).
The controversy erupted over the weekend when the long-time client shared detailed allegations on social media, describing how hackers reportedly gained access to his account and drained it through hundreds of suspicious transactions. According to the victim, the perpetrators executed rapid-fire trades on low-liquidity stocks, including obscure nano-cap companies like Spruce Power, systematically siphoning off funds without ever making direct withdrawals.
“Everything was sold in minutes: even long-held stocks, ETFs, securities that hadn’t been touched for years,” the trader wrote, describing the attack as a “programmed slaughter.”
Screenshots provided by the victim showed an alarming number of unusual buy-sell orders. By exploiting the low liquidity of certain instruments, the alleged hacker’s separate account could profit from the trades executed in the victim’s account, an attack method that’s hard to trace and challenging to reverse.
The incident has raised questions about whether the broker’s existing safeguards are sufficient and what responsibility brokers have when clients fail to activate optional security features.
XTB confirmed the client did not have 2FA enabled, despite the feature being available since September 2024. However, the broker moved quickly to make significant changes once the allegations gained traction across local investor forums and Polish media.
“Security of XTB client funds is our highest priority,” said Adam Dubiel, Chief Product & Technology Officer at XTB. “We have taken action in three areas: improving our 2FA methods, making 2FA mandatory for all users, and ramping up security education for clients.”
Effective July 14, XTB users can now switch from SMS codes to Time-based One-Time Passwords (TOTP) using apps like Google Authenticator. By the fourth quarter of 2025, all new accounts must have 2FA enabled by default, and the firm will begin rolling out mandatory 2FA for existing customers this month.
The alleged victim claims that when he first contacted XTB’s customer support, they responded indifferently, telling him, “I get calls like yours all day, every day. Nothing can be done.
XTB has not confirmed if other clients reported similar breaches, although the victim claims the same scheme may have targeted multiple investors. The client says XTB rejected his complaints twice, citing its terms of service, which place most password security responsibility on the user.
The incident rattled investors as XTB’s stock (WSE: XTB) fell more than 6%, its sharpest single-day drop this year. The stock partially recovered, rebounding by nearly 3% to around 72 złoty.
The case has reignited debate over whether stronger security should be mandatory rather than optional. Michał Masłowski, Vice President of Poland’s Individual Investors Association, stressed that robust account security is a shared duty.
“Such ‘details’ as 2FA, double authentication using either SMS passwords or one-time passwords from applications like Google Authenticator, are simply mandatory when logging into any accounts where we have even small amounts,”Masłowski said.
Mateusz Samołyk, founder of Inwestomat.eu who helped spotlight the client’s case called on XTB to implement additional safeguards, including:
“All four security measures I’ve already suggested to XTB, and I’ll be watching closely for their implementation,”Samołyk said.
XTB highlighted the broader cybersecurity risks facing financial firms, noting that Poland alone recorded over 103,000 unique cyber incidents in 2024, up nearly 30% year-over-year.
“As a leader in the investment industry, we are fully aware that cybersecurity issues are among the greatest challenges in today’s financial world and affect the entire sector,” XTB said in a statement. “As for the online post, we are verifying the information presented. We remind our clients that official complaint procedures are available and every case is analyzed individually.”
So far, XTB has not indicated whether it will compensate affected clients or provide further support for any police investigations into the alleged hacking scheme.
Also, visit the Stock Broker Talks website for more insights and Reviews.
Subscribe to our newsletter and be up-to-date with all the recent Stock Broker news releases and updates.
Copyright © 2025 Stock Brokers Talk. All Rights Reserved.
