Hong Kong toughens anti-phishing rules for crypto firms
Hong Kong SFC ordered virtual-asset trading platforms and online brokers to adopt phishing-resistant authentication, ban OTPs via SMS, email or apps and deploy passkeys or hardware keys within 12 months.
The Securities and Futures Commission issued new requirements to virtual-asset trading platforms and online brokers operating in the Hong Kong SAR. Firms must replace one-time passwords delivered by SMS, email or apps with phishing-resistant authentication within 12 months.
Accepted methods include passkeys, device binding with cryptographic verification and hardware security keys. Passkeys and hardware keys use public-key cryptography to prevent credential theft on fake login pages. Device binding verifies a specific device cryptographically rather than relying on codes that can be intercepted.
The regulator stated the measures are meant to reduce account takeover through phishing and social engineering. The SFC listed passkeys, registered devices with cryptographic checks and hardware security keys as phishing-resistant options.
The update follows a rise in phishing and social engineering losses in the crypto sector. In the first quarter of 2026, such incidents accounted for $306 million of the industry’s $482 million in reported losses. Separate figures for the first half of 2026 put phishing-related losses at about $366 million.
Hong Kong cyber authorities recorded that counterfeiting and fraud made up 57% of security incidents reported to the Hong Kong Cyber Security Accident Coordination Center in 2025.
Recent incidents cited by regulators and researchers include a crypto investor who lost nearly $1 million after signing a malicious token approval on Ethereum and a wallet holder who lost about $1.65 million after connecting to a fake exchange and signing a harmful contract. Researchers also reported campaigns using paid search and impersonation ads that stole more than $400,000.
Platforms regulated by the SFC will need to update customer authentication flows, developer documentation and account recovery procedures to comply. The announcement did not specify enforcement penalties.
Dr. Ye Zhiheng, executive director of the Intermediaries Department of the China Securities Regulatory Commission, stated: “To protect customer accounts from increasingly complex and changing counterfeiting and fraud attacks, comprehensive measures must be implemented in conjunction with prevention, detection, response and education.”
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.








