Who stole your MT4 clients?

Timur Latypoff, Director of MT4 technologies provider Takeprofit Technology, takes a look at a question many forex brokers ask themselves every once in a while: Is someone stealing my clients (or client data)? What can I do about it and – most importantly – to prevent it?

Takeprofit’s products include A and B-book risk management solutions, the Klondike liquidity bridge, and the Ashira automated dealer anti-cheating defense. Takeprofit’s clients have included Forex brokerages and white-label solution providers such as Darwinex, FXPIG, FXSTAT, BTFX, FinFX.


Takeprofit TechnologyFinding paying clients is what usually makes or breaks a retail Forex brokerage company. So many FX companies consist mostly of a marketing/sales department, because acquiring and retaining customers is the most important (and, probably, the most difficult) thing a broker can do to be profitable.

One of the ways to lose your hard-earned clients is if some dishonest competitor gets access to a whole list of your clients, their names, emails, phone numbers, and payment histories — and targets their advertisement campaign at them directly, by emphasizing your shortcomings and their own advantages, even if untrue.

In this article we will take a look at how MetaTrader-4-based retail brokerages can protect themselves from theft of their clients’ contact details.

Who steals clients, why, and how

Obviously, the end-customer of your clients’ database theft is your competitor. Nobody would mind extending their mailing list with thousands of emails to fresh traders eager to make a live deposit. Every sales department dreams of an opportunity to get a thick list of leads with full names, phone numbers, and valid addresses.

But how could it happen that your full list of clients that you cultivated carefully over the years of honest operations would end up in your rascally competitor’s hands?

Firstly, of course, it could be a server security breach — your website could get hacked, your trading server’s passwords could be guessed. We will not be discussing this possibility in this article, it is a very broad topic well beyond our interest here. To mitigate such risk you should hire competent IT personnel.

Secondly, your employees could leak or sell your clients’ personal data to third parties. They say that if you go to a bar in Limassol on Friday night, USD $1,000 could get you a full clients database from an FX company across the street. If your chief dealer or IT guy think that they are under-compensated, they might have an easy time making up for that difference.

Finally, your technology partners could “borrow” your clients’ information rather easily. If you installed a plugin into your MetaTrader 4 server, or you logged into some third-party tool with your manager’s login and password, it would take less than 10 seconds for an untrustworthy IT vendor to sneak all traders out without leaving any traces. Some technology providers might even launch their own retail Forex brokerage division eventually.

Certainly, there are other, less common possibilities, but for the sake of brevity we will concentrate on the second and the third case above in this article.

What are brokers’ options to protect their client base

Protecting your clients information is a two-step process:

  1. Preventing third-parties from being able to steal your database
  2. Making sure that should the database get stolen, you know exactly who did that

Managing access

Pretty obvious things here.

You should make sure that both your employees and technology providers are trustworthy. Ask for references from other brokerages in advance, and make sure you don’t give direct RDP, Radmin or unsupervised TeamViewer access to your server, don’t issue MT4 Administrator or unrestricted MT4 Manager credentials for newcomers.

If you ever share passwords with new technology providers, make sure you change them after the job is done — even if their account managers wish you the best, you don’t want to bet your database on trustworthiness of all their temporary interns or soon-to-be-fired personnel.

Making punishment inevitable

Eventually, no matter how paranoid you get, there’s always a chance that some things might slip beyond your attention. “One of the greatest checks on crime is not the cruelty of punishments but their inevitability” (“On Crimes and Punishments”, Beccaria). So one of the most effective ways to prevent theft is making sure that every time it happens, you find out who did that.

The problem is there’s probably no way to pinpoint theft of client base with 100% certainty, but there are many more-or-less reliable ways to find that out indirectly.

After the database is stolen, and you know the approximate time when that happened — of course, you should consult your Windows Event Logs for RDP access entries, you should check MT4 Journal logs to notice who used their MT4 Manager account, check what plugins were installed in that time frame.

But how do you know whether the theft had indeed been committed, and when? Here’s the trick.

Finding the thief with one curious trick

For example, your competitor gets their hands on your database of numerous clients, what do they do? Probably, they launch an email campaign to let future customers know about their unique proposition. Therefore, you could use that, and if you add a new fake email to your database every two weeks, when eventually some of the emails receive a message from one of your competitors, you can be sure that the database was stolen after you generated that particular email address, and rather probably before you made the next one.

  1. Make sure you make those “fake” emails on public email services and not on your company’s domain, as they will be easy to filter out (please note that big email providers like Gmail, Yahoo, Hotmail — all require a phone number for new email registration, and don’t allow too many emails to be associated with the same phone number).
  2. Devise believable names, Mehmet Bilgin with email [email protected] will less likely be noticed as fake by thieves than Dummy4 with [email protected]
  3. Put those fake clients not only at the end of your clients list, but try replacing your old inactive clients from years ago with your “traps”, so that your defense pattern is less predictable.
  4. Don’t bother checking all those fake emails at once. Take 15 minutes to learn how to set up auto-forwarding from those numerous mailboxes to your main account, so that you can catch those newsletters with no extra effort.
  5. Automate the process in-house or contact your trusted software vendor. Although the steps are rather easy, it could get a bit tedious for a person to manage all these details.

By employing this simple technique, you can easily pinpoint when the database got to be stolen, and recall what happened during that time: was it that extra-cheap agent commission plugin installed? or was it that sales intern who resigned after one month of work?


From my experience, so many brokers are oblivious about the dangers of clients database getting stolen. They install server plugins from people they’ve never heard of, give eternal unrestricted machine access to everyone who requests it. At the same time, retail Forex brokering is a highly competitive business that employs quite a few people with floating morals who are glad to save effort in extending their client base.

The issue is made worse with the fact that usually it is very easy to make a copy of the whole database by leaving little to no traces, and the victim will almost never get to know when information had been compromised. And there’s no real way to effectively prevent every chance of stealing because of the way MetaTrader 4 works.

However, by using the easy trick described in this article, a broker can be more proactive in defending its clients personal data and finding the wrongdoers.

Read Also: