The scale of online threats is alarming. According to data from CERT NASK, Poland recorded as many as 103,449 unique cybersecurity incidents in 2024 — a 29% increase compared to the previous year[1]. The European Central Bank has also highlighted the increasing activity of cybercriminals, identifying the financial sector as one of the most vulnerable to attacks[2], particularly those aimed at unauthorized access to accounts and financial data. These facts underline that cybersecurity has become one of the key challenges for both financial institutions and their clients.
Trust as the Foundation in Times of Cyber Threats
Faced with rising risks, XTB — a leader in Poland’s investment industry and one of Europe’s foremost fintech companies — is taking strategic steps to strengthen client trust. Beyond implementing security measures based on new technologies, collaborating with security experts, and running educational campaigns, the company has decided to fully compensate investors for any funds lost due to cybercriminal activity. According to XTB’s data, such attacks affected only 0.017% of clients. None of the clients impacted had two-factor authentication (2FA) enabled, which is an effective safeguard against unauthorized account access.
“Our strategy is to offer the best investment application for managing investments, both passive and active. We want our clients to be confident that they can safely invest in the XTB app with long-term goals or additional retirement savings in mind. Building a relationship based on trust is paramount to us, which is why we decided to compensate all clients who fell victim to cybercriminals. We see this as a valuable lesson for us, individual investors, and the entire community. We believe cybersecurity should not only appear in the news during sensational incidents but evolve into a long-term educational campaign,” said Omar Arnaout, CEO of XTB.
In the coming weeks, XTB will directly contact clients who have filed complaints regarding losses due to cybercrime so they can recover their funds as soon as possible. The company estimates that the total compensation amount will not materially impact its financial results.
XTB Implements New Cybersecurity Solutions
XTB has enabled 2FA activation since 2024. Initially, SMS-based authentication was offered, and in July 2025, a second method was added — TOTP (Time-based One-Time Password). This allows users to generate one-time codes using apps such as Google Authenticator, Microsoft Authenticator, or Apple Passwords.
Currently, the mandatory 2FA activation process for all users in Poland is concluding, with rollout to other European branches planned in the coming weeks. Additionally, starting from Q4 this year, 2FA will be automatically enabled for every new client.
“We recognize that the financial sector must uphold the highest standards of security and trust. After all, these institutions — like XTB — are where clients’ money works. Cybersecurity is our priority, and this is not just rhetoric — in 2024, XTB’s Security Department budget increased by 48% year-over-year, and we expect these investments to grow steadily in the coming years,” added Omar Arnaout.
In the coming months, XTB plans to implement further measures to enhance client fund security. These include the ability to immediately log out from all sessions and lock accounts via the mobile app, as well as ongoing behavioral analysis of investors on the platform. Furthermore, XTB’s Security Department regularly collaborates with the CSIRT team of the Polish Financial Supervision Authority and CERT Poland.
Sources:
[1] https://cert.pl/posts/2025/04/raport-roczny-2024/
[2] https://www.ecb.europa.eu/press/financial-stability-publications/fsr/focus/2025/html/ecb.fsrbox202505_01~5b8c62e6c6.en.html
