Key facts
- Hong Kong's SFC has mandated new anti-phishing measures for crypto platforms and online brokers.
- Platforms must adopt phishing-resistant authentication methods, such as passkeys or hardware security keys.
- The use of SMS, email, or app-based one-time passwords for logins will be prohibited.
- These changes must be implemented within the next 12 months.
- The new regulations aim to combat rising phishing attacks and social engineering scams in the crypto sector.
The Hong Kong Securities and Futures Commission (SFC) has mandated that virtual asset trading platforms (VATPs) and online brokers implement enhanced anti-phishing security measures within the next 12 months. These new requirements prohibit the use of one-time passwords delivered via SMS, email, or app-based logins, pushing platforms towards more robust solutions like passkeys, registered devices with cryptographic verification, and hardware security keys.
The SFC's directive comes in response to a significant increase in phishing attacks and social engineering scams targeting the cryptocurrency industry globally. In the first quarter of 2026, such incidents accounted for $306 million of the industry's total losses, which reached $482 million. Counterfeiting and fraud attacks were also prevalent in Hong Kong, representing 57% of security incidents reported in 2025.
Recent incidents highlight the severity of the threat, including a crypto investor losing nearly $1 million after signing a malicious phishing token approval on Ethereum, and another wallet holder losing $1.65 million by connecting to a fake exchange. Scammers have also been observed using malicious phishing ads, such as those impersonating Uniswap, to steal funds. Industry figures like Binance co-founder Changpeng Zhao have previously emphasized the need for improved wallet security to combat these evolving threats.