The Hong Kong Securities and Futures Commission has ordered licensed crypto trading platforms and online brokers to replace SMS-based authentication with phishing-resistant login methods within the next 12 months.
- Hong Kong’s SFC has banned SMS-based authentication for licensed crypto platforms and online brokers.
- Firms have 12 months to adopt phishing-resistant login methods such as passkeys and hardware security keys.
- The move comes as phishing scams accounted for $306 million in crypto losses during Q1 2026.
According to the Hong Kong Securities and Futures Commission (SFC), virtual asset trading platforms (VATPs) and online brokers must stop relying on one-time passwords delivered through SMS, email, or app-generated codes and instead adopt stronger authentication systems that are harder for attackers to compromise.
The regulator announced the new cybersecurity requirements on Thursday as part of updated standards for customer account protection.
Under the new framework, firms will be required to introduce phishing-resistant authentication methods together with device binding. The SFC identified passkeys, registered devices secured through cryptographic verification, and hardware security keys as acceptable alternatives. All licensed platforms must complete the transition within one year.
Hong Kong tightens security standards for crypto firms
The latest rules come as Hong Kong continues to expand its regulated digital asset market while raising operational standards for licensed businesses. Earlier this week, the SFC also announced changes to the Certified Virtual Asset Platform Practitioner programme after discussions with industry representatives.
The regulator committed to separating the certification examination from its mandatory course, lowering assessment fees, and improving study materials.
Administered by the Hong Kong Securities and Investment Institute (HKSI) under SFC standards, the Certification Programme for Virtual Asset Professionals serves as Hong Kong’s professional qualification for the digital asset sector. The programme covers blockchain fundamentals, digital asset products, and anti-money laundering compliance.
Recent regulatory activity has extended beyond licensing and professional standards. Last month, Hong Kong confirmed that its first regulated stablecoins are expected to enter circulation between the middle and second half of 2026 after the Hong Kong Monetary Authority granted issuer licenses to two bank-backed institutions in April.
According to the HKMA, the rollout schedule follows the institutions’ existing business plans, while the licensing framework is intended to support financial innovation, protect users, and preserve monetary and financial stability.
Returning to the cybersecurity measures, the SFC said the stronger authentication requirements respond to growing phishing and fraud risks affecting financial platforms. Data cited by the regulator showed that counterfeiting and fraud accounted for 57% of security incidents reported to the Hong Kong Cyber Security Accident Coordination Center during 2025.
Dr. Ye Zhiheng, executive director of the Intermediaries Department of the China Securities Regulatory Commission, said financial institutions need coordinated prevention, detection, response, and education measures to protect customer accounts from increasingly sophisticated fraud attacks.
Phishing scams continue to drain crypto investors
The SFC’s decision follows another period of heavy losses linked to phishing and social engineering attacks across the cryptocurrency industry.
Industry data showed phishing attacks and social engineering scams accounted for $306 million of the crypto sector’s $482 million in total security losses during the first quarter of 2026.
More recently, a crypto investor reportedly lost nearly $1 million after approving a malicious phishing token transaction on Ethereum, contributing to phishing-related losses that reached $366 million during the first half of 2026.
Separate incidents have continued throughout the year. Researcher Ryan Coleman reported that a wallet holder lost about $1.65 million after connecting to a fake cryptocurrency exchange and signing a malicious contract that granted attackers unlimited access to the wallet.
Earlier, on May 25, on-chain analyst b-block warned that scammers had used Google advertisements to impersonate decentralized exchange Uniswap, with the campaign reportedly stealing more than $400,000 from victims.
Calls for stronger wallet security have also come from within the industry. Binance co-founder Changpeng Zhao previously urged users to adopt better security practices after an investor lost $50 million in an address poisoning scam in December 2025.
