A hack into an XTB account and theft of the account during a conversation between the client and a consultant, who blocked access only a few minutes after reporting the problem, when losses had increased by approximately PLN 80,000 – this is the story of Marek from Silesia. XTB is beating its chest, but only for the manner in which the customer service was terminated, after the consultant had disconnected because his working hours had expired.
Since the disclosure of the attacks on XTB customer accounts, Bankier.pl has been receiving a growing number of reports from affected investors. What they all have in common is the lack of two-factor authentication (2FA) . In a July commentary on the high-profile account hack, XTB itself provided statistics: only “slightly over 10% of customers” used the additional security measure.
Was this a shot in the arm, given that the target the criminals were aiming at has grown significantly? Our editorial team has verified information about hacks on July 11, July 17, and July 18, among others, following media reports about Mr. Łukasz, who reportedly lost approximately PLN 150,000, and XTB's commentary with the aforementioned statistics.
Advertisement See also: Awaken your inner stock market bull! With us, it costs nothing to go overboard.
Attacks on XTB clients are not on a mass scale
When asked whether, after this statement, the number of hacker attacks had increased compared to what was observed before July 2025, XTB did not answer directly, citing the overall growing statistics of cybersecurity incidents in the financial industry (according to CERT data, in 2024 it was a 29% increase year-on-year).
“The threat affects most institutions to a similar extent, which is why we strongly deny the information about the mass scale of this phenomenon at XTB,” the company said in a comment for Bankier.pl, also responding to the question whether the series of attacks could be an organized campaign aimed at damaging the company’s image.
Observers find it difficult to estimate the scale, as XTB doesn't provide specific figures. It's known that those affected are forming groups on social media and instant messaging apps to collectively consider what to do next. There are also those, like Marek, whom I'll discuss in a moment, who isn't in any of them.
“We have a group of 16 people from Poland and several from the Czech Republic, Hungary, and Romania,” says Wojtek, who reportedly lost 25,000 PLN. “People have lost a lot of money, many over 100,000 PLN. No one will let this go,” he continues, adding that the total losses are already in the millions, and more people are joining his group.
“It would be most beneficial to apprehend the perpetrators of these actions, as the injured parties could pursue their claims through criminal proceedings. However, given the professional nature of the crimes being committed, this seems unlikely. Victims who believe their funds and assets were not adequately protected can also seek compensation from the brokerage house,” says attorney Wojciech Kaczmarczyk, who runs a law firm specializing in disputes with financial institutions, commenting on the situation with the hacking of DM XTB clients' accounts.
“First and foremost, it is advisable to file a complaint, although the response will likely be negative. A well-prepared complaint will not only allow you to understand XTB's arguments, but will also provide the basis for charging interest on lost funds in the future and for using a wider range of legal instruments in a potential dispute. If, in the client's opinion, the brokerage house did not protect their account sufficiently, the next step is to file a lawsuit or request arbitration proceedings before the Financial Ombudsman,” he adds.
“The choice should depend on the specific situation and the injured party's expectations. Unfortunately, these types of disputes are very complex, requiring knowledge of numerous regulations and an understanding of the financial market. Therefore, it is worth seeking the assistance of an attorney with expertise in financial law and experience in disputes with financial institutions from the very beginning. I have often encountered situations where unprofessional actions, for example in the complaint procedure, negatively impacted the subsequent court proceedings. It is also worth bearing in mind that the court, applying bank account regulations, may consider a two-year statute of limitations for such claims. Therefore, I advise you not to delay,” he concludes.
A million customers and billions of zlotys of profits
Out of approximately 1.5 million XTB clients worldwide, including over 0.5 million in Poland, a dozen, several dozen or even over a hundred hacking cases constitute a fraction of a per mille, but it still damages the image of the broker, which is dynamically expanding its client base, hoping that some of them will start using contracts for difference (CFDs), on which the company earns the most (over 70% of investors trading CFDs report losses).
The company, however, not only opens the gates to capital market investments for Poles, but also educates its clients, provides qualitative analyses and commentary, expands its offer with new solutions (e.g. fractional shares, investment plans, eWallet for currency exchange) and supports the young people who won the team competition at the International Economic Olympiad in Greece last year.
Setting the pace for brokerage competition for clients, XTB invests heavily in marketing . Sponsorships for popular YouTube channels (e.g., Channel Zero), sporting events (e.g., KSW), large billboard campaigns, prime-time television ads, and contracts with sports stars like Zlatan Ibrahimović, Tyson Fury, and previously Jose Mourinho, among others, cost the company a fortune, but they pay off handsomely.
In 2024, the XTB Group already allocated PLN 345 million to marketing activities , following a 30.6% year-on-year increase. In the coming years, spending in this area is expected to grow by as much as 80% annually. Despite marketing costs, which number in the hundreds of millions of zlotys, XTB generated nearly PLN 860 million in net profit last year . It earned just over PLN 790 million in 2023. Over the past three years, this totaled over PLN 2.4 billion.
Security spending grew faster than marketing
So how much does XTB spend on security? It doesn't categorize such costs in its financial reports, so we don't know the nominal amounts. The company informed us that its security department budget increased by 48% last year, which is more than its marketing expenses.
“These investments are directly related to the purchase of software, security services, and the employment of specialists. Furthermore, we invest in security by building and developing a culture of security at all stages of software development. This is handled by a specially trained group of engineers who work daily in teams developing every product at XTB,” XTB comments.
We monitor and audit our security systems, so we can confidently state that their integrity has not been compromised, XTB informs, referring to the recent account hacks.
I described the cybercriminals' modus operandi in the article “Thousands of Transactions and Huge Losses.” In short, it involved taking over an account, changing its notification settings, selling open positions, and using the acquired capital to buy illiquid companies from other exchanges, thus siphoning off the funds. The value of the compromised account quickly dwindled, also due to XTB's 0.5% currency conversion fee and a brokerage fee (0.2% with a minimum of €10) if the trading volume exceeded the monthly limit (equivalent to €100,000) for commission-free transactions.
“Thieves who take over accounts use login details (login and password) most often from one of two sources: stolen directly from a user's computer infected with malware or from leaks from various websites. In both cases, thieves check whether the login details match different websites. The latter method is effective if customers use the same passwords on multiple websites. In both cases, having 2FA protection protects against unauthorized access to the account,” emphasizes XTB.
According to the broker, one of the security investments is the services of companies from the Cyber Threat Intelligence (CTI) sector. They search the so-called “darknet” for information about sets of login credentials offered by thieves to various services. The XTB Security Department monitors the information sent by CTI and checks whether XTB customer accounts are at risk, according to a response to our questions.
“Data leaks come from many sources: website leaks (which is why using a unique password is so important), and they are also obtained by malware (viruses, browser plug-ins) that infect customer computers. With this information, we warn customers about the potential threat and notify them to change their passwords,” XTB reports.
Customer service needs improvement?
Mr. Marcin received such a warning in July. It stated: “We have been informed that some of our customers' data stored in their web browser cache may have been publicly exposed online. We would like to emphasize that our security systems have not been breached, and this situation is most likely the result of a malware infection on your personal computer or mobile device.” The message then outlined possible next steps, including enabling 2FA.
Unfortunately, Mr. Marcin didn't have time to read the message, which arrived after 5:10 PM. It arrived after the first unauthorized transactions had already been made on his account. When he logged in before 7:00 PM, he saw flashing messages about transactions being closed. After connecting with a hotline consultant, he placed an order to block the account, thus interrupting the intruder's further actions.
In an interview with the editor, he emphasizes his dissatisfaction with the customer service, as he was first offered a complaint, when the priority should have been securing his account against further losses as quickly as possible. He also complains about the password change process. “An average person like me can't change their password in the app that easily, because there's no such function. Even the XTB employee who spent 10 minutes with me on the hotline was very surprised,” he says.
“If XTB knew about such things, about hacking into customer accounts, I don't understand why they didn't automatically enable two-factor login (2FA, editor's note) as mandatory?” – Mr. Marcin also wonders.
Besides the lack of 2FA , which connects all the victims I spoke with, there's at least one thing they have in common: they didn't know it was possible to enable it . Until now, two-factor authentication wasn't mandatory at XTB (except for eWallet accounts). It's already in place, as the company introduced it on July 25th, following the high-profile hacks into customer accounts.
XTB ran an email campaign in July of this year informing about 2FA, but as some of the broker's clients describe, they don't regularly read emails; they're busy with daily duties and work. In extreme cases, the message simply ended up in spam and wasn't read by the recipient in a timely manner. Not everyone reads industry media and social media sites like X or Facebook, where the topic was widely covered and commented on, with recommendations to enable protection as soon as possible.
The effectiveness of XTB's previous efforts to raise awareness of the new security feature for their funds remains a separate issue. The additional user authentication method (2FA) was enabled in August 2024. Although XTB claims to have communicated extensively on this topic, including emails to its customers, none of the affected individuals I spoke with had seen messages reading: “Two-factor authentication (2FA) is now available at XTB. Find out how to further secure your account.”
Some XTB clients received such a direct message in 2024. How many? The company didn't provide a precise answer when I asked how many of the 280,000 accounts registered with the National Depository for Securities (KDPW) in August 2024 were handled this way. XTB did provide direct information about 2FA in 2024, but it was part of a message about changes to its regulations, and the information was in an attachment, which nobody usually reads (unfortunately).
Attachment to the information on changes to the XTB regulations from August 2024.
Further implementations related to cybersecurity
“The ability to enable two-factor authentication has been available at XTB since August 2024. Since then, we have regularly informed all our clients about this functionality, in the same way we communicate key new product launches. Information about 2FA was distributed through many different channels, including mass mailings, push messages, and pop-ups in the mobile app in the “Recommended” window in the “Discover” tab. Since the beginning of the year, we have been conducting ongoing educational activities aimed at customers, recommending that they enable 2FA and informing them about various threats and protection methods. We provide this information, among other things, in mailings, as well as on our social media channels and on the website https://edukacja.xtb.com/bezpieczenstwo-w-sieci,” XTB responded to several questions in this area.
“This year's product plans include numerous security initiatives that required not only changes to IT systems but also signing contracts with new providers (e.g., SMS sending services). As a result, in July we significantly simplified the process of enabling 2FA (without logging out of the app), added a second authentication factor, TOTP, and have now begun the process of mandatory enabling 2FA for users,” the company added.
“In the near future, we are planning further implementations related to cybersecurity, including enabling 2FA for every new user, sending notifications about logging in from new devices, simplifying the password change process and the ability to block an investment account directly in the mobile application,” XTB announced in a comment for Bankier.pl.
In July, a post by Łukasz, who recounted his story on Wykop, focused attention on XTB, which took specific action (emails to customers about enabling 2FA) and informed them about further actions (mandatory 2FA). However, the hack that sparked the media attention took place in May of this year. Meanwhile, two customers contacted Bankier.pl about the theft, following the same pattern, in March of this year .
I stand and watch as they rob me
We decided to describe one of these cases, not because of the scale of the losses, which amounted to approximately PLN 150,000, but because of the customer service, which, as mentioned earlier, Mr. Marcin also complained about in July and which, according to our interlocutor, contributed to a significant increase in the losses.
An XTB client, 55-year-old Marek from Silesia, contacted the broker's hotline on March 7th, reporting that his portfolio contained companies he had never purchased, and that the portfolio's value had dropped by tens of thousands of zlotys. The client was verified, and a consultant was able to view his account. Marek reported that he was not responsible for the current portfolio composition. A discussion ensued regarding account activity and password information, which revealed that the client had not shared his login details with anyone. “I did not transmit any orders,” Marek repeated in the recording I listened to.
As in the case described by Mr. Marcin, the consultant's first suggestion is to file a complaint, even though it's clear that we're likely dealing with a critical security breach. “I see what I see,” says the XTB consultant, directing the client to the so-called investor room, where they can file a complaint. “I don't know what to do now,” says Mr. Marek, after which the consultant encourages them to file a complaint again and, for the first time, to “change their password, just in case.” The conversation has now lasted over five minutes.
A few dozen seconds later, the client notices pop-up notifications on the trading platform. “Position closed,” “Position modified,” “Buy, sell,” informs Marek. “I can see it, it's displayed,” the robbed client says with alarm into the phone. “Are you closing your positions now?” the consultant asks. “Absolutely not!” the clearly irritated client shouts. “I'm standing there watching this,” he adds.
The response is an encouragement to change the password as soon as possible. “If you're not the one closing it, then I see someone's using your account.” More encouragements to change the password and file a complaint appear. Mr. Marek mentions blocking the actions of a hacker who is constantly making transactions.
The consultant asks if Mr. Marek has changed his password, although the conversation doesn't indicate he's attempted to do so. “I don't know how to do that,” the client informs. “Something strange is happening; funds have disappeared from your account, and many items have been closed,” the consultant says, and then returns with an “encouragement” to change his password. Mr. Marek's reminder that he doesn't know how to do this prompts the consultant to instruct him on the next steps. The conversation reaches 11 minutes.
Mr. Marek is having difficulty because he doesn't see the option the consultant is offering, so the consultant sends him a link to reset his password. The conversation reveals that the email containing the link was sent to his email address, but attempting to use it is hampered by messages displayed in English after clicking, which the client doesn't understand. Meanwhile, he's told again to block the account because he's “over 100,000 PLN in debt.”
The consultant then guides the client once again to change their password, starting from the xtb.pl website, while in the meantime informing them that they will lock their account. The call has been going on for 15 minutes. The entire attempt to stop the thief lasts several minutes, with losses increasing by approximately 80,000 PLN, as Mr. Marek described in a subsequent written complaint. The consultant finally states: “I've locked your account so that you can't withdraw your money or continue trading if necessary.” The recorded call now lasts over 17 minutes and 50 seconds. During this time, Mr. Marek also changed his password.
The next part of the situation unfolds as follows: the consultant informs the customer that they can file a complaint about the entire situation, but he himself cannot provide further assistance because “his office hours have ended.” He has to hang up and instructs the customer to call the hotline again to discuss the complaint.
“Unfortunately, I have to hang up here because it's after my work hour. If you're interested, you can call the hotline again and hear from the consultant how to file a complaint,” said an XTB consultant to a client who had just lost around PLN 150,000.
The client connects with a new consultant, undergoes verification, and explains the entire situation. The new consultant understands what happened, advises how to provide XTB with the so-called “logs” from the client's platform (it turns out they originate from Sweden), and states that their account is blocked until the complaint is verified. The submitted complaint is rejected by XTB after a few days.
XTB apologizes for the ended conversation
In response, the broker refers to the regulations according to which the client is fully liable for all transaction orders placed via the account, which were placed using the client's login and password.
“I disagree with your opinion and am filing an appeal regarding my complaint. I believe that much of the blame lies with you. As I wrote earlier, as soon as I noticed the movements on my account, I called you. If the employee had reacted immediately and blocked my account, there would not have been such a large loss. From the beginning of the entire incident to the moment the account was blocked, more than 10 minutes passed, and during that time, my losses significantly increased by approximately 80,000 (zloty, editor's note). If there had been an immediate reaction, the situation would have been much better,” Marek replied to the broker.
XTB rejected the appeal, stating that the client's conversations with the consultant had been reviewed several times, but that no basis for accepting the complaint was found. Mr. Marek reported the account hack, which resulted in the funds being withdrawn, to the police. He reported the matter to the prosecutor's office. The client also reported the incident to the Polish Financial Supervision Authority (KNF).
“I change my password every week. I immediately set up authentication (2FA, ed.)” – explains Mr. Marek. “I didn't expect to be cut by 150,000 złoty,” he sighs, explaining that he's not an active investor. He buys companies for the long term. “I bought Rainbow Tours shares at around 40 złoty, today they're around 130 złoty, but I still wouldn't sell them because the Pekao recommendation is 210 złoty. So maybe I'd consider 180 złoty,” he says, revealing that he follows market news.
He says he has time for this because he's currently a pensioner, but, as he adds, “this pension is as much as a cat cries.” He relies on his accumulated capital, however. “I had my own business for 30 years. I made decent money,” he says with satisfaction.
He'd been holding Orlen in his portfolio for three years. Several thousand shares. All sold by the thief in March at 63 złoty per share. Today, they're worth around 83 złoty, a 30% increase. He explains that the 150,000 złoty loss on his XTB account could be supplemented by lost profits, which he estimates at another tens of thousands of złoty. He's not devastated. “150,000 złoty, I could buy a car and still have a lot left over,” he says, reducing the loss to mundane matters.
However, a number of questions arise regarding XTB regarding consultant training in the event of customer reports of potential account hacking, procedures to be followed in the event of a suspected cyberattack, and specifically why it took so long to block the account in the case of Mr. Marek's report.
My editorial colleague Wojciech Boczoń, who specializes in bank-customer relations, says that in their case, the response is to immediately freeze the account after reporting this type of critical incident. Of course, XTB isn't a bank, but the security of funds is also a priority there. Is freezing the account nearly 20 minutes after reporting unauthorized transactions an immediate response? The question of paying consultants for overtime also seems justified.
XTB on Mr. Marek's situation
“All Customer Support employees are trained in what to do if they suspect unauthorized account access. This training is conducted based on new scenarios as cybercriminals' operating mechanisms evolve, sometimes literally within weeks. When a hotline employee suspects unauthorized access to a customer's account, they implement procedures that prioritize the report, quickly attempt to secure the account, and inform them of possible escalation, whether in the form of a complaint or a police report.
In the case cited, the employee took steps to secure access to the account, including providing a password change link and additionally taking steps to block the account. The response time involved not only attempting to resolve the situation collaboratively with the customer, but also providing technical support.
It's important to remember that these types of situations are dynamic, and while a customer is on the line, employees often work in multiple areas simultaneously, which may not be entirely apparent from the customer's perspective. Blocking an investment account isn't always possible immediately, as it requires customer verification (to ensure the person calling is the account holder) and an assessment of the current situation. It's important to remember that blocking an account is temporary, usually for the duration of a specific conversation with a consultant and until the password is successfully changed to a new, unique, and more secure one.
The complaints procedure and account blocking are two independent processes, and it is not true that an account must be blocked until the statutory 30-day complaint review period. However, it is true that hotline employees cannot recommend or suggest further action to the customer regarding any items currently open in their account. Regarding the manner in which the conversation with the customer was ended in this particular case, we agree that it was inappropriate. We sincerely apologize for the situation.
“XTB’s procedures appear to have failed”
I asked attorney Wojciech Kaczmarczyk, who runs a law firm specializing in disputes with financial institutions, to assess Mr. Marek's situation. He represented the plaintiff against the bank, which received an unprecedented final judgment in a cyberfraud case last year. The court sided with the injured party. Kaczmarczyk is also a faculty member at the University of Economics in Katowice and the author of academic articles.
The lawyer about Mr. Marek's situation
The activities of a licensed brokerage house are subject to highly complex regulations. It is a professional entity obligated to protect its clients' funds and assets. First, deposited funds are subject to significant bank account regulations, and therefore enjoy extensive protection.
Secondly, a brokerage house is obligated to implement organizational solutions that minimize the risk of losing client funds. Therefore, the brokerage house's potential liability is not limited to handling the client's telephone notification. However, judging by the reported course of the hotline conversation, it appears that XTB's procedures failed. Without a doubt, immediate blocking of the client's account would have mitigated the risk of further loss of funds.
The brokerage house is responsible for the security of funds from the moment they are deposited. It is its duty to ensure the security of funds at all times, not just upon receiving information about their threat. Therefore, clients can file claims for compensation both for funds lost after reporting the breach and for funds lost beforehand. Unfortunately, such disputes with financial institutions almost always end up in court.
Assessing the chances of a positive verdict always requires a thorough analysis of the case. Undoubtedly, in the case of funds lost after a complaint was filed, the prognosis will be better, but no honest attorney can guarantee their recovery. The actions of a brokerage firm and its client will be assessed by the court using different rules. A brokerage firm should act professionally and with exceptional diligence. In the case of a client, however, it will be sufficient that there was no fault or gross negligence on their part.
Therefore, the key issue is whether the login details were obtained completely independently of the client (e.g., a data leak from the institution). Otherwise, the manner in which this occurred is crucial. For example, if the client had provided all the necessary data themselves, this would likely exclude the brokerage house's liability. However, if the data were obtained from the client's device in a professional manner that the client was unable to prevent, it is still possible to attribute liability to the financial institution. In this case, the court will certainly also assess the lack of mandatory two-factor authentication, especially since such a solution was available. These are complex disputes, usually requiring expert testimony.
Personally, I wouldn't attach excessive importance to the content of the regulations cited by XTB. In legal terms, we use the concept of semi-operative provisions. These are provisions that can be amended by agreement (including the regulations) solely to the benefit of the weaker party, i.e., the client. This is precisely the nature of the provisions ensuring the protection of funds and assets deposited with a brokerage house. Therefore, the scope of this liability can be amended by the regulations solely to the benefit of the client. Any provisions limiting this protection have no real legal effect.
The case of hacking into XTB client accounts certainly requires an explanation of the causes and drawing conclusions. This applies to both clients (e.g., awareness of online security rules) and XTB Brokerage House (e.g., security communication, customer service in the event of security incidents). Education is never too much, and it's not just about understanding the oil market, the Orlen share price trend line, or changes in the monetary policy of a particular central bank. As the current situation demonstrates, awareness of the security rules for one's own assets and those of one's clients can sometimes be more valuable than even a large, profitable transaction or a successful marketing campaign.
The priority should be finding those responsible for the thieves taking control of brokerage accounts (they are successful in the US). Since this wasn't a leak from XTB's systems, attention automatically turns to customers. However, many of them claim they took care to use the platform safely, used their original passwords, utilized antivirus software, and were aware of potentially dangerous online behavior. Others, on the other hand, admit that their passwords could have been stolen, but the hack likely wouldn't have occurred had they known about additional security features. The case isn't simple, and although it follows a common pattern, each case must be considered individually.
Michał Kubicki
