Crypto investors in Hong Kong are about to see the way they log into trading platforms change dramatically. The Hong Kong Securities and Futures Commission has issued sweeping new Hong Kong crypto phishing regulation requirements, ordering all virtual asset trading platforms and online brokers in the city to eliminate one-time passwords and replace them with stronger, phishing-resistant login methods — all within 12 months.
Summary
Key takeaways
- The SFC has banned OTP-based logins via SMS, email, and app-based methods for crypto platforms and online brokers, with a 12-month implementation deadline.
- Approved alternatives include passkeys, registered devices with cryptographic verification, and hardware security keys.
- Phishing attacks and social engineering scams caused $306 million in losses across the crypto industry in Q1 2026 alone, out of total losses of $482 million.
- Counterfeiting and fraud attacks accounted for 57% of all cybersecurity incidents reported to Hong Kong’s Cyber Security Accident Coordination Center in 2025.
- The SFC will hold senior management at licensed firms directly accountable for customer losses stemming from inadequate internal controls.
Hong Kong mandates phishing-resistant login for crypto platforms
The regulatory action signals a hard pivot away from the most commonly used form of account authentication in financial services. One-time passwords — the six-digit codes delivered via text message, email, or authenticator app — have long been the industry standard for two-factor login. The SFC now considers them inadequate against modern phishing techniques, and it is telling firms to treat the transition as urgent, not optional.
Large internet brokerage firms, in particular, have been told to act immediately rather than wait for the 12-month window to close.
Phasing out one-time passwords within 12 months
The new circular prohibits OTP-based logins across all licensed platforms. The SFC’s position is clear: traditional one-time passwords are too easy to intercept or replicate through social engineering, spoofing campaigns, and phishing websites that trick users into entering credentials on fake interfaces.
The regulator also requires firms to implement detection and surveillance systems to flag suspicious login, trading, and withdrawal activity. Platforms must notify clients promptly of significant account actions and respond to hacking incidents without delay. Regular warnings to customers about emerging impersonation scams are also now part of the compliance picture.
Critically, the SFC made clear that senior management bears ultimate responsibility for the adequacy of these controls. Firms whose internal systems fall short could be held accountable for resulting customer losses — a liability framing that gives this circular real teeth.
Approved authentication methods and device binding
The SFC has specified three categories of acceptable phishing-resistant solutions: passkeys, registered devices using cryptographic verification, and hardware security keys. All three share a common trait — they bind authentication to a physical device or cryptographic proof that cannot be easily intercepted or replicated remotely, even if a user is deceived into visiting a fake site.
This approach reflects how phishing-resistant authentication standards have evolved globally. Unlike OTPs, which can be harvested in real time by attackers running man-in-the-middle attacks, passkeys and hardware keys require possession of the actual registered device. There is no code to steal.
Rising phishing and fraud losses threaten crypto investors
The SFC did not issue this order in a vacuum. The numbers behind it make an uncomfortable case.
Global crypto phishing losses and recent scams
Phishing attacks and social engineering scams generated $306 million in losses within the crypto industry during Q1 2026 — representing the majority of the sector’s total $482 million in losses during that period. By the first half of 2026, phishing-related losses had climbed to $366 million, underscoring an accelerating trend rather than an isolated spike.
Individual incidents paint an equally troubling picture. Just days before the SFC’s circular, a crypto investor lost nearly $1 million after signing a malicious phishing token approval transaction on Ethereum. Earlier the same month, a wallet holder lost $1.65 million after connecting to a fake exchange and signing a malicious contract — a transaction that granted attackers unlimited access to the funds, according to researcher Ryan Coleman. On May 25, onchain analyst “b-block” reported that scammers had deployed malicious Google ads impersonating decentralized exchange Uniswap, stealing more than $400,000 from victims who believed they were visiting the real platform.
Hong Kong cybersecurity incident statistics
Locally, the threat profile is equally severe. Data from the Hong Kong Cyber Security Accident Coordination Center shows that counterfeiting and fraud attacks represented 57% of all security incidents reported in 2025. That concentration of risk in a single threat category — spoofing and impersonation — maps directly onto what the new SFC requirements are designed to counter.
The convergence of local incident data with global phishing losses makes the timing of this regulation straightforward to understand. Hong Kong’s crypto market has been expanding, and with more users on licensed platforms comes a larger attack surface. The SFC appears to be moving before a major local incident forces its hand.
Industry reactions and calls for stronger wallet security
Binance co-founder advocates for improved wallet protections
Pressure to raise security standards has come not only from regulators. Changpeng Zhao, co-founder of Binance, publicly called for better wallet security measures after an investor lost $50 million in an address poisoning scam in December 2025. Address poisoning is a different attack vector from phishing — it works by inserting a near-identical fraudulent wallet address into a victim’s transaction history — but it reflects the same broader pattern: attackers exploiting small moments of inattention with devastating financial consequences.
The scale of that incident, and the public profile of the person calling it out, helped keep crypto security in the industry conversation heading into 2026.
Notable address poisoning scams raising alarm
Address poisoning has generated some of the most striking individual loss figures in recent memory. In May 2024, one victim lost $71 million in an address poisoning attack — an unusual case that ultimately ended with the attacker returning the full amount after investigators claimed to have tracked a potential IP address. That outcome was exceptional. Most victims in these schemes recover nothing.
Expert perspectives on combating crypto phishing
“To protect customer accounts from increasingly complex and changing counterfeiting and fraud attacks, comprehensive measures must be implemented in conjunction with prevention, detection, response and education,” said Ye Zhiheng, Executive Director of the Intermediaries Department of the China Securities Regulatory Commission.
The framing matters. Prevention through better authentication is only one layer. Detection systems, rapid incident response, and ongoing user education form the rest of the approach that regulators now consider necessary. The SFC’s circular reflects this layered thinking — it does not simply mandate better login technology and stop there. It asks firms to build an integrated security posture, from the login screen to customer communication.
What the regulation does not yet answer is how smaller virtual asset trading platforms will absorb the cost and technical complexity of implementing hardware security keys and cryptographic device binding at scale. The 12-month window gives firms room to plan, but the gap between a large licensed broker and a smaller VATP in terms of security engineering capacity is real. How the SFC handles that disparity — and whether penalties for non-compliance will be proportionate — may define how effective this mandate actually proves to be.
FAQ
What new login requirements has the Hong Kong Securities and Futures Commission imposed on crypto platforms?
The SFC requires crypto platforms and online brokers to adopt phishing-resistant authentication methods — specifically passkeys, registered devices with cryptographic verification, and hardware security keys — while banning one-time passwords delivered via SMS, email, or app-based logins. Firms have 12 months to implement the changes, though large internet brokers have been told to act immediately.
Why are these new phishing-resistant login methods being mandated now?
The mandate follows a sharp rise in phishing attacks and social engineering scams that caused $306 million in losses across the crypto industry in Q1 2026, alongside data showing that counterfeiting and fraud attacks accounted for 57% of cybersecurity incidents reported in Hong Kong in 2025. The SFC views OTPs as inadequate against the sophistication of current attack techniques.
What alternatives to one-time passwords are accepted by the Hong Kong regulator?
The SFC has approved three categories of phishing-resistant solutions: passkeys, registered devices with cryptographic verification, and hardware security keys. These methods tie authentication to a physical device or cryptographic proof, making them significantly harder for attackers to intercept even through spoofed websites or social engineering.
What has been the reaction from the crypto industry to these phishing threats?
Industry leaders including Binance co-founder Changpeng Zhao have called for stronger wallet security following high-profile incidents, including a $50 million address poisoning scam in December 2025. The SFC’s action formalizes what prominent figures in the industry have been advocating informally for months.
Article produced with the assistance of artificial intelligence and reviewed by the editorial team.

