BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
Markets

Hong Kong Regulator Mandates New Anti-Phishing Rules for Crypto Firms

The Hong Kong Securities and Futures Commission (SFC) has issued new rules aimed at reducing account takeovers on virtual asset trading platforms (VATPs) and online brokers. The regulator say

AnonymousCryptoCompass newsroom
July 9, 2026
6 min read
NEWS
Hong Kong Regulator Mandates New Anti-Phishing Rules for Crypto Firms
CryptoCompass editorial visual for markets coverage.

The Hong Kong Securities and Futures Commission (SFC) has issued new rules aimed at reducing account takeovers on virtual asset trading platforms (VATPs) and online brokers. The regulator says platforms in the city must upgrade authentication controls to make logins more resilient to phishing and other social engineering tactics.

The SFC requires stronger phishing-resistant authentication methods and device binding, and it bans one-time passwords delivered via SMS, email, or app-based logins. Companies covered by the rules have 12 months to implement the changes, which the SFC frames as a key part of raising local cybersecurity standards as phishing activity intensifies globally.

Key takeaways

  • The SFC’s new requirements apply to virtual asset trading platforms (VATPs) and online brokers operating in Hong Kong.
  • One-time passwords through SMS, email, or app-based logins are prohibited for these platforms.
  • Phishing-resistant authentication and device binding are required, with options such as passkeys and hardware security keys.
  • Covered firms must complete implementation within 12 months from issuance.
  • The SFC linked the update to rising phishing and social engineering losses in the broader crypto industry.

What the SFC is requiring for crypto login security

In a statement released Thursday, the Hong Kong regulator outlined specific expectations for authentication on VATPs and online brokers. The SFC’s document sets out requirements for phishing-resistant methods and device binding, aiming to prevent attackers from hijacking accounts through fraudulent login prompts or compromised credentials.

According to the SFC, the new standards disallow one-time passwords delivered by SMS, email, or via app-based logins. Instead, the commission points to stronger alternatives designed to reduce the effectiveness of phishing scams—for example, passkeys, registered devices with cryptographic verification, and hardware security keys.

The formal requirements are available through the SFC’s publication gateway: SFC requirements document.

Why Hong Kong is tightening rules now

The SFC’s move arrives at a moment when phishing and social engineering incidents continue to disrupt crypto users worldwide. The SFC said that in the first quarter of 2026, phishing-related tactics accounted for a significant portion of reported industry losses.

As reported by Cointelegraph earlier, industry losses totaled $482 million in the period, with $306 million attributed to phishing attacks and social engineering scams. The SFC also referenced a separate local data point: counterfeiting and fraud incidents represented 57% of security incidents reported to the Hong Kong Cyber Security Accident Coordination Center in 2025.

In remarks carried in the SFC materials, Dr. Ye Zhiheng, executive director of the Intermediaries Department of the China Securities Regulatory Commission, said that protecting customers from increasingly complex counterfeiting and fraud attacks requires comprehensive measures spanning prevention, detection, response, and education.

Real-world phishing losses underscore the risk

The SFC’s tightening reflects a pattern already visible in recent crypto incidents: attackers often use phishing to trick users into signing approvals or connecting wallets to fraudulent pages. These actions can grant attackers control over funds or enable unauthorized transfers.

Cointelegraph reported on Wednesday that a crypto investor lost nearly $1 million after signing a malicious phishing token approval transaction on Ethereum. Earlier coverage also described another case in which a wallet holder reportedly lost $1.65 million after connecting to a fake exchange and signing a malicious contract that gave attackers unlimited access to funds. Researcher Ryan Coleman made the assessment in a post shared on X: RyanColeXBT.

Additional examples cited in earlier reporting highlight the variety of phishing delivery methods. Cointelegraph noted that on May 25, on-chain analyst “b-block” warned scammers used Google to deploy malicious phishing ads impersonating decentralized exchange Uniswap, reportedly stealing more than $400,000 from victims. That earlier report is here: Cointelegraph on fake Uniswap ads.

Broader industry leaders have also called attention to wallet security weaknesses that phishing exploits. Cointelegraph previously connected such risks to discussions from Binance co-founder Changpeng Zhao after major investor losses, including a $50 million address poisoning incident in December 2025. Earlier coverage on that topic is here: Zhao’s remarks and related loss.

Device binding and passkeys: what changes for users and platforms

Although phishing attacks often start with a message that looks legitimate, the SFC’s approach targets the authentication layer that attackers rely on. By requiring phishing-resistant authentication and device binding, the rules are designed to reduce the chances that credentials or approvals obtained through a scam lead directly to account compromise.

For platforms, the practical implication is that they cannot treat multi-factor authentication as a checkbox. The SFC’s explicit ban on SMS/email one-time passwords is especially important because these methods can still be vulnerable to social engineering and interception—scenarios where attackers focus on tricking users into providing the second factor or luring them into fraudulent flows.

Instead, the SFC highlights methods that tie authentication to trusted hardware or cryptographic verification. Passkeys, cryptographic device registration, and hardware security keys all share a common theme: the login mechanism should be harder for attackers to replicate via fraudulent prompts, and stronger controls should ensure that only authorized devices can complete authentication.

For Hong Kong users, the change may eventually translate into a more consistent login experience with fewer fallback authentication options. For investors and traders, stronger login security is not just a compliance issue; it can be a direct determinant of whether account takeover attempts succeed—particularly when platforms integrate authentication with deposit, withdrawal, and trading permissions.

Still, one key uncertainty remains: how quickly different VATPs and online brokers will choose among the SFC’s allowed phishing-resistant alternatives, and how smooth the migration will be for end users. With a 12-month deadline, platform execution and user onboarding processes will likely be crucial in determining how effectively the new rules reduce real-world phishing losses.

With the SFC setting a clear timeline and banning weaker authentication methods, attention should now turn to how quickly Hong Kong platforms roll out passkeys or device-bound cryptographic authentication—and whether regulators will later expand requirements as phishing tactics evolve.

This article was originally published as Hong Kong Regulator Mandates New Anti-Phishing Rules for Crypto Firms on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.