HomeEverythingEducation
Equities & FundsCrypto & Digital AssetsAI & TechnologyBusiness & CorporateUS Politics & PolicyGeopolitics & Global RiskMacro, Rates & FXCommodities & EnergyEuropean Politics & MarketsAsia-PacificReal Estate & Property
Story archiveAll categories
← All Stories

Hong Kong regulator orders new anti-phishing measures for crypto platforms

Created at 9 Jul · 1:06 PM1 source↑ Market-relevant
IN SHORT

Hong Kong's Securities and Futures Commission (SFC) has mandated that virtual asset trading platforms and online brokers implement phishing-resistant authentication methods within 12 months, prohibiting SMS-based one-time passwords.

✉Newsletter

PiQ Daily

Pick your topics. Get only what matters, on your cadence.

Key Numbers

12 monthsimplementation window for new security measures
$306 millionlosses from phishing attacks in Q1 2026
$482 milliontotal crypto industry losses in Q1 2026
57%security incidents attributed to counterfeiting and fraud in Hong Kong in 2025
$1 millionamount lost by a crypto investor in a recent phishing incident
$366 milliontotal losses from phishing scams in the first half of 2026
$1.65 millionamount lost by a wallet holder after connecting to a fake exchange
$400,000stolen by scammers impersonating Uniswap via phishing ads
$50 millionlost by an investor in an address poisoning scam in December 2025
$71 millionlost by a victim to an address poisoning scam in May 2024

Who's Involved

Hong Kong Securities and Futures Commission (SFC)
Regulator issuing new anti-phishing requirements for crypto platforms
Dr. Ye Zhiheng
Executive Director of the Intermediaries Department of the China Securities Regulatory Commission
Ryan Coleman
Researcher who reported on a $1.65 million phishing scam loss
Changpeng Zhao
Binance co-founder who previously called for better wallet security
b-block
Onchain analyst who warned about malicious phishing ads impersonating Uniswap

↳ Why This Matters

These new regulations in Hong Kong aim to bolster the security of cryptocurrency platforms and protect investors from increasingly sophisticated phishing and fraud attacks, which have led to substantial financial losses in the global crypto market.

Key facts

  • Hong Kong's SFC has mandated new anti-phishing measures for crypto platforms and online brokers.
  • Platforms must adopt phishing-resistant authentication methods, such as passkeys or hardware security keys.
  • The use of SMS, email, or app-based one-time passwords for logins will be prohibited.
  • These changes must be implemented within the next 12 months.
  • The new regulations aim to combat rising phishing attacks and social engineering scams in the crypto sector.

The Hong Kong Securities and Futures Commission (SFC) has mandated that virtual asset trading platforms (VATPs) and online brokers implement enhanced anti-phishing security measures within the next 12 months. These new requirements prohibit the use of one-time passwords delivered via SMS, email, or app-based logins, pushing platforms towards more robust solutions like passkeys, registered devices with cryptographic verification, and hardware security keys.

The SFC's directive comes in response to a significant increase in phishing attacks and social engineering scams targeting the cryptocurrency industry globally. In the first quarter of 2026, such incidents accounted for $306 million of the industry's total losses, which reached $482 million. Counterfeiting and fraud attacks were also prevalent in Hong Kong, representing 57% of security incidents reported in 2025.

Recent incidents highlight the severity of the threat, including a crypto investor losing nearly $1 million after signing a malicious phishing token approval on Ethereum, and another wallet holder losing $1.65 million by connecting to a fake exchange. Scammers have also been observed using malicious phishing ads, such as those impersonating Uniswap, to steal funds. Industry figures like Binance co-founder Changpeng Zhao have previously emphasized the need for improved wallet security to combat these evolving threats.

Frequently asked questions

Platforms must implement phishing-resistant authentication methods such as passkeys, registered devices with cryptographic verification, and hardware security keys. The use of SMS, email, or app-based one-time passwords is prohibited.

Virtual asset trading platforms and online brokers in Hong Kong have 12 months to comply with the new requirements.

The SFC is responding to a global increase in phishing attacks and social engineering scams targeting the cryptocurrency industry, which have resulted in significant financial losses.

The measures are intended to prevent phishing attacks, social engineering scams, counterfeiting, and fraud that target customer accounts and investor holdings.

What Happens Next

01Virtual asset trading platforms and online brokers must implement the new security measures within 12 months.

Get the newsletter.

Pick the topics you actually care about. We'll email when there's news worth your time, on the cadence you choose. Cancel any time from your account.

Cadence

How It Developed

Hong Kong's SFC issued new requirements for phishing-resistant authentication on virtual asset trading platforms and online brokers.
Platforms must implement stronger methods like passkeys or hardware security keys within 12 months.
SMS, email, or app-based one-time passwords are now prohibited for logins.
The measures aim to protect against increasing phishing attacks and social engineering scams in the crypto industry.

Sources

T1
Hong Kong regulator orders new anti-phishing measures for crypto platformsHong Kong’s regulator has ordered crypto platforms and online brokers to meet newly issued phishing-resistant login requirements within the next 12 months.Cointelegraph

Related Stories

AI accelerates crypto audit risks, researchers warn
9 Jul · 5:55 AM
Trader loses $1M in Ethereum phishing token approval scam
9 Jul · 6:06 AM
Bank of Korea Pushes Bank-Led Stablecoins Amid Pilot Programs
9 Jul · 9:25 AM
Interpol Operation Uncovers $123M Laundered via Crypto Wallet in Romance Scams
9 Jul · 9:25 AM
BitGo Adds Quantum-Risk Controls to Bitcoin Custody
9 Jul · 2:55 PM