In a chilling exposé that’s rattling the fintech corridors of Central Europe, Polish brokerage giant XTB finds itself at the center of a cybersecurity storm. A long-time client claims to have lost nearly 150,000 Polish zloty ($38,000) in what appears to be a calculated and highly technical account breach.

The alleged victim, a five-year XTB user, took to social media over the weekend with a detailed account of how his portfolio—once valued at nearly 200,000 zloty—was systematically drained. The method? Hundreds of rapid-fire trades on obscure, low-liquidity assets, including nano-cap stocks like Spruce Power. The trades were executed in such a way that the victim’s account consistently lost money, while a suspected second account profited from the other side of each transaction.

The client described the attack as a “programmed slaughter,” noting that even long-held securities and untouched ETFs were liquidated within minutes. Notably, the hacker didn’t attempt direct withdrawals—XTB restricts those to verified bank accounts—but instead exploited the trading mechanism itself.

When the client reached out to XTB’s support, he claims he was met with indifference: “I get calls like yours all day, every day. Nothing can be done.” His formal complaints were reportedly dismissed twice, with the broker citing its terms of service that place password security squarely on the customer.

The breach exposed a critical vulnerability: the client had not enabled two-factor authentication (2FA), a feature XTB introduced as optional in 2024. But the fallout was swift. Within hours of the viral post, XTB announced a sweeping security overhaul. Starting July 14, users will be able to activate Time-based One-Time Passwords (TOTP) via apps like Google Authenticator. By Q4 2025, 2FA will be mandatory for all new accounts.

Adam Dubiel, XTB’s Chief Product & Technology Officer, stated: “Security of XTB client funds is our highest priority.” The firm is also launching a campaign to educate users on cybersecurity best practices.

The scandal sent shockwaves through the Warsaw Stock Exchange, with XTB’s shares plunging over 6% on Monday before rebounding slightly the next day. Industry experts like Michał Masłowski of Poland’s Individual Investors Association stressed that 2FA should be non-negotiable: “Even small amounts require robust protection.”

Mateusz Samołyk, a financial blogger who helped amplify the case, urged XTB to implement real-time monitoring of suspicious activity and location-based login alerts. He claims to have submitted these recommendations directly to the broker.

The firm says it is investigating and encourages affected clients to use official complaint channels.

As the fintech world grapples with rising cyber threats, this incident serves as a stark reminder: in the digital age, security isn’t optional—it’s survival.

Founded in 2002, XTB has grown into a global fintech leader, offering trading in forex, commodities, indices, stocks, ETFs, and bonds across 13 countries. Headquartered in Warsaw, Poland, the firm serves over 1.36 million clients and employs more than 1,000 staff. It’s regulated by top-tier authorities including the FCA (UK), CySEC (Cyprus), and KNF (Poland). Listed on the Warsaw Stock Exchange since 2016, XTB reported PLN 1.87 billion ($445 million) in revenue for 2024.

The company has built its reputation on proprietary technology like xStation, celebrity ambassadors including Zlatan Ibrahimović and José Mourinho, and a commitment to investor education and transparency.

This content is for informational purposes only and does not constitute financial, investment, or other professional advice. It should not be considered a recommendation to buy or sell any securities or financial instruments. All investments involve risk, including the potential loss of principal. Past performance is not indicative of future results. You should conduct your own research and consult with a qualified financial advisor before making any investment decisions.
Some portions of this content may have been generated or assisted by artificial intelligence (AI) tools and been reviewed for accuracy and quality by our editorial team.