Security Threats to MT4 and MT5

Understanding the security challenges facing MetaTrader platforms in 2024 and how to protect against emerging threats

Warsaji kometx.com January 7, 2025 12:00 PM
Security Threats to MT4 and MT5
Research Note

Abstract

MetaTrader 4 (MT4) and MetaTrader 5 (MT5) remain core execution terminals for retail FX/CFD participants and many brokerage operations. In 2024, the dominant risks to MetaTrader users were less about "platform hacking" in the traditional sense and more about identity compromise, endpoint infection (notably infostealer malware), and social engineering-driven delivery of malicious trading add-ons (Expert Advisors, indicators, DLL payloads). This research note synthesizes publicly available advisories, law-enforcement disclosures, and security reporting on credential theft and malware trends, and then maps these threats to practical defensive controls for traders and brokers. We also assess the security implications of MetaQuotes' enforcement of minimum supported terminal builds beginning December 1, 2024 (MT4 build 1420; MT5 build 4410).

1. Introduction

MT4/MT5 terminals sit at the intersection of finance and consumer computing: they are often installed on personal Windows systems, run continuously on VPS hosts, and execute third-party automation code (EAs/indicators) with varying degrees of trust. This makes the MetaTrader ecosystem attractive to financially motivated threat actors seeking direct monetization (account takeover, unauthorized trading, withdrawal redirection) or indirect monetization (credential resale, device-to-botnet enrollment).

This note is written for two audiences:

  • Retail and advanced traders who need a defensible "minimum-security baseline" without operational overhead.
  • Brokers and platform operators who need control recommendations aligned to identity risk, fraud patterns, and incident response.

2. Ecosystem Threat Model (What You Are Actually Defending)

A practical security posture starts with understanding the trust boundaries:

2.1 Core components

  • Client endpoints: MT4/MT5 desktop terminals, mobile apps, and web terminals.
  • Execution environment: local PC or Windows VPS/RDP instance running terminals and automation.
  • Broker infrastructure: authentication, trade routing, account management portals, and withdrawal workflows.
  • Third-party code: EAs, indicators, scripts, DLL dependencies, and update mechanisms.

2.2 Primary attacker objectives

  1. Credential theft and session hijack: obtain passwords, tokens, cookies, or platform secrets.
  2. Account takeover (ATO): place trades, manipulate risk, or change withdrawal destinations.
  3. Malware delivery via trading lures: weaponized "tools," "indicators," "premium signals," or pirated software.
  4. Persistence: maintain access to the trading environment (VPS, email, broker portal) for repeated abuse.

3. Methodology and Evidence Base

This research note is based on:

  • MetaQuotes communications on platform support and minimum builds.
  • Security reporting on credential theft as a leading initial access vector (industry-wide). Verizon's 2024 DBIR continues to identify stolen credentials as a top initial action in breaches.
  • Reporting on the growth of infostealer malware in 2024 and its role in large-scale credential theft.
  • Public law-enforcement disclosures describing infostealer distribution methods and impact (e.g., malvertising, phishing, fraudulent downloads).
  • Author's defensive synthesis: mapping these trends to MetaTrader-specific attack paths and mitigations (no offensive guidance).

Limitations: This is a threat synthesis and defensive engineering note, not a proprietary incident dataset. Where quantitative claims are made, they are anchored to cited sources or framed as operational measurement guidance.

4. 2024 Threat Landscape for MT4/MT5

4.1 Identity compromise is the primary failure mode

Across the broader cyber landscape, credential theft remains one of the most common initial access vectors in real breaches. In the MetaTrader context, this typically happens through:

  • Phishing/pretexting impersonating brokers, "account verification," KYC updates, withdrawals, or platform updates.
  • Credential reuse from unrelated breaches, enabling credential stuffing against broker portals.
  • Email compromise that enables password resets and withdrawal workflow manipulation.

Why this matters: if an attacker can impersonate the user, the trading terminal itself may never be "hacked"—the attacker simply logs in as the user.

4.2 Infostealers and endpoint malware disproportionately impact traders

In 2024, infostealer malware infections increased across Windows and macOS in multiple reporting streams. Infostealers harvest browser passwords, cookies, autofill, crypto wallet data, and application artifacts; this feeds underground "log markets" and accelerates account takeover. Large-scale disruptions against prominent infostealers (e.g., RedLine/META) in late 2024 highlight both their prevalence and industrialization.

MetaTrader-relevant impact: traders often store credentials in browsers (broker portals, email) and run terminals on the same machine used for downloads, charting add-ons, and "tool" installations—an ideal environment for stealers delivered via malvertising or cracked software bundles.

4.3 Social engineering + "trading tool" delivery is a recurring pattern

MetaTrader is extensible by design. That extensibility can be abused when:

  • users install EAs/indicators from unverified sources,
  • DLL imports are enabled without review,
  • VPS images are reused across "bot packs,"
  • pirated platform builds or "optimized terminals" are used.

The operational reality is that many compromises begin with a plausible lure: "free premium indicator," "funded account EA," "latency killer," or "broker fix." The terminal becomes the execution context for an attacker's code, rather than the direct target of a platform vulnerability.

4.4 Platform version risk: end-of-support is a security boundary

MetaQuotes announced that, starting December 1, 2024, older desktop terminal versions would no longer connect to broker servers; minimum supported builds were set to MT4 build 1420 and MT5 build 4410.

Security implication: enforced upgrades reduce exposure to legacy defects and outdated dependencies. However, any environment that deliberately avoids updates (often to preserve compatibility with legacy EAs) creates a predictable target for malware operators and opportunistic attackers. The practical conclusion is simple: if your trading stack depends on an old build, the security cost is real and must be compensated with stronger isolation controls (Section 6).

5. Defensive Controls (Prioritized for Traders)

The following controls are ordered by expected risk reduction per unit effort.

5.1 Account and identity controls (highest leverage)

  1. Enable MFA wherever your broker supports it (platform login, portal login, withdrawals). Microsoft and CISA both emphasize MFA as a high-impact control against account compromise.
  2. Prefer phishing-resistant MFA where possible (FIDO/WebAuthn) over SMS/OTP when your provider supports it.
  3. Use unique, high-entropy passwords stored in a reputable password manager; do not reuse across broker, email, and VPS.
  4. Harden account recovery: secure your email with MFA; review recovery email/phone; remove unused recovery methods.
  5. Enable trade and login alerts (email/SMS/app) and treat unexpected alerts as a compromise indicator.

5.2 Endpoint and VPS hardening (where most compromises start)

  1. Separate trading from browsing:
    • Best: a dedicated trading VM/VPS used only for terminal execution.
    • Minimum: a separate Windows user profile for trading with restricted privileges.
  2. Patch OS and applications (browser, PDF readers, Java, .NET) and remove unused software.
  3. Use reputable endpoint protection and keep signatures current; do not disable protection for "tool compatibility."
  4. Lock down RDP/VPS access: allow-list your IP, enforce MFA on the VPS provider, disable password-only access where possible, and restrict clipboard/drive redirection if operationally feasible.
  5. Do not run "admin-by-default": trading does not require permanent local admin privileges.

5.3 MetaTrader-specific controls (reduce EA/DLL risk)

  1. Treat EAs/indicators as software, not "files." Only install from trusted sources with verifiable provenance.
  2. Disable DLL imports by default and enable only for code you have reviewed and operationally need.
  3. Restrict outbound connectivity: if an EA requires WebRequest, allow-list the exact domains; treat unexpected network calls as high risk.
  4. Change management: maintain a simple release discipline—version your EA set, keep hashes, and log changes to the terminal data directory.
  5. Backups: keep offline backups of templates, profiles, and critical configurations.

6. Broker and Platform Operator Controls (What "Good" Looks Like)

Brokers can materially reduce client losses and incident load by focusing on identity, fraud, and communications controls:

6.1 Authentication and fraud controls

  • Enforce MFA (and push toward phishing-resistant options).
  • Risk-based authentication: impossible travel, geo-velocity, device fingerprinting, and anomalous session scoring.
  • Step-up verification for sensitive actions (withdrawal address changes, new beneficiaries, API key issuance).
  • Rate limiting and bot detection on login endpoints to reduce credential stuffing.

6.2 Client communications hardening

  • Implement DMARC/DKIM/SPF to reduce brand spoofing.
  • Standardize "never ask for password/OTP" policies and publish them prominently.
  • Maintain a signed, verifiable download chain for installers and updates (and communicate official sources clearly).

6.3 Incident response readiness

  • Provide clients with: login history, device history, and last session list.
  • Rapid lock/freeze workflow for suspected ATO.
  • Forensic-grade logging on authentication, session tokens, withdrawals, and trade activity.

7. Practical Incident Response Playbook (For Traders)

If you suspect compromise, act as though credentials and the device are both affected:

  1. Immediately disable trading (remove EA auto-trading, disconnect terminal, or freeze account via broker if available).
  2. Change passwords from a clean device (email first, then broker portal, then VPS provider).
  3. Enable or reset MFA and revoke active sessions where supported.
  4. Validate withdrawals and beneficiaries (remove unknown bank/crypto addresses).
  5. Scan and rebuild the environment: treat infostealer compromise as "reinstall or rebuild" for high confidence.
  6. Collect evidence: timestamps, trade IDs, terminal logs, VPS login logs; submit to broker support for investigation.

8. Key Findings and Practical Takeaways

  • The dominant MetaTrader risk pattern in 2024 is identity + endpoint compromise, not exotic platform exploitation.
  • Infostealers scale credential theft through malvertising, phishing, and fraudulent downloads; this is directly relevant to traders who install third-party tools.
  • Enforced minimum terminal builds beginning December 1, 2024 create a clear operational security boundary: update or accept compensating controls and higher risk.
  • MFA is consistently identified as a high-impact mitigation against account compromise, particularly against automated credential attacks.

9. Conclusion

Securing MT4/MT5 in 2024 requires treating the trading stack as a security system: identity controls to prevent takeover, endpoint hygiene to defeat infostealers, and disciplined software provenance for automation components. For retail traders, the most effective posture is a dedicated, hardened execution environment (preferably a clean VPS) paired with MFA and strict control over what code is allowed to run. For brokers, the largest risk reduction comes from modern authentication, fraud analytics on sensitive workflows, and anti-phishing communications discipline.

References

  • MetaQuotes. (Oct 22, 2024). Support for older MetaTrader 4 and MetaTrader 5 versions to end on December 1, 2024. metaquotes.net
  • Verizon. (May 2024). 2024 Data Breach Investigations Report (DBIR). Verizon
  • Red Canary. (2024). Threat Detection Report trend: Info stealers increased in 2024. Red Canary
  • U.S. Department of Justice / Eurojust. (Oct 29, 2024). International action against RedLine and META infostealers. Department of Justice
  • CISA. Multifactor Authentication and phishing-resistant MFA guidance. CISA
  • Microsoft Security Blog / Microsoft research on MFA effectiveness. Microsoft