Press Release
Rodney Bay, St. Lucia, May 15th, 2025, FinanceWire
Lux Trading publicly declares that an unknown third party accessed the firm’s email account and used it to initiate a password reset for the associated Kingdom Bank account. Although Google Authenticator was in place, the firm states that it was possible to reset login credentials and access the account without entering an authenticator code. After gaining access, the unauthorized user added a second user to the account and granted administrative privileges—again, reportedly without triggering any additional two-factor authentication requirements.
This second user subsequently initiated cryptocurrency transfers from the account. Due to the structure of blockchain-based systems, these transactions were irreversible.
The firm reported the incident through The Kingdom Bank’s live chat on a Wednesday evening.
According to Lux Trading Firm, they were informed that the issue could not be addressed immediately and that someone would follow up the next day. Despite having provided a detailed explanation and supporting documentation, the firm sent five follow-up emails on Thursday. The response received Thursday evening, they report, asked whether they were “okay” and what assistance was needed, suggesting a potential misunderstanding of the urgency of the matter. A formal reply from the bank’s legal department arrived Friday evening, advising Lux to remain vigilant.
In its internal investigation, Lux Trading Firm attempted to update its login credentials, including the associated email address, and found that these changes could be made without the use of Google Authenticator codes. According to the firm, this demonstrated that critical security steps—such as credential changes and user role assignments—did not require two-factor authentication. As a result, the firm believes an attacker with access to the registered email account could gain control over a Kingdom Bank account without further verification. They noted that even if the transactions had involved traditional bank transfers, the support response time may not have allowed for timely mitigation.
The Kingdom Bank’s legal department later issued a formal letter concluding that the bank would not accept responsibility for the incident. The letter cited that the email account breach was beyond the bank’s scope of control and that the incident had not been reported immediately because it occurred overnight. It further stated:
“Kindly be advised that this constitutes our final decision in this matter. It has been reached after due consideration, and no further claims, appeals, or correspondence will be entertained in relation to this issue.”
According to Lux Trading Firm, the final communication from the bank arrived within a week of their initial report. The firm expressed concern that there was no opportunity to dispute the findings, appeal the decision, or recover the funds—despite evidence that critical account access protocols could be bypassed without full multi-factor authentication enforcement.
The firm highlights the incident as an example of potential security gaps in online banking platforms and account management procedures. Although two-factor authentication was advertised and active on the account, core actions—such as adding users or modifying login credentials—did not require code-based verification.
By sharing this account, Lux Trading Firm aims to raise awareness among organizations and individuals about the importance of evaluating service providers’ implementation of two-factor authentication. The firm noted that institutions based in regulated jurisdictions, such as the EU, UK, or USA, typically offer clearer protections and defined protocols. They emphasized the importance of verifying that financial service providers not only promote security features but also integrate them into all sensitive account functions.
Two-factor authentication methods like Google Authenticator are designed to prevent precisely this type of breach. If such protections can be circumvented or are not enforced at all points of account access and control, customers may be left exposed to irrecoverable losses.
Lux Trading Firm encourages all users of digital banking and crypto platforms to review their providers’ security policies, particularly around password recovery procedures and multi-user account permissions.
About Lux Trading Firm
Lux Trading Firm is a UK-based firm that utilizes online financial platforms for its operations. Following a recent security incident, the firm is actively advocating for enhanced security measures within the financial industry to protect users against unauthorized access and potential losses.
Contact
Jeroen Burger
Lux Trading Firm
+44 (0)20 7167 8107
