Skip to main content

Hong Kong Regulator Mandates New Anti-Phishing Rules for Crypto Firms



The Hong Kong Securities and Futures Commission (SFC) has issued new rules aimed at reducing account takeovers on virtual asset trading platforms (VATPs) and online brokers. The regulator says platforms in the city must upgrade authentication controls to make logins more resilient to phishing and other social engineering tactics.



The SFC requires stronger phishing-resistant authentication methods and device binding, and it bans one-time passwords delivered via SMS, email, or app-based logins. Companies covered by the rules have 12 months to implement the changes, which the SFC frames as a key part of raising local cybersecurity standards as phishing activity intensifies globally.



Key takeaways



  • The SFC’s new requirements apply to virtual asset trading platforms (VATPs) and online brokers operating in Hong Kong.

  • One-time passwords through SMS, email, or app-based logins are prohibited for these platforms.

  • Phishing-resistant authentication and device binding are required, with options such as passkeys and hardware security keys.

  • Covered firms must complete implementation within 12 months from issuance.

  • The SFC linked the update to rising phishing and social engineering losses in the broader crypto industry.



What the SFC is requiring for crypto login security


In a statement released Thursday, the Hong Kong regulator outlined specific expectations for authentication on VATPs and online brokers. The SFC’s document sets out requirements for phishing-resistant methods and device binding, aiming to prevent attackers from hijacking accounts through fraudulent login prompts or compromised credentials.



According to the SFC, the new standards disallow one-time passwords delivered by SMS, email, or via app-based logins. Instead, the commission points to stronger alternatives designed to reduce the effectiveness of phishing scams—for example, passkeys, registered devices with cryptographic verification, and hardware security keys.



The formal requirements are available through the SFC’s publication gateway: SFC requirements document.



Why Hong Kong is tightening rules now


The SFC’s move arrives at a moment when phishing and social engineering incidents continue to disrupt crypto users worldwide. The SFC said that in the first quarter of 2026, phishing-related tactics accounted for a significant portion of reported industry losses.



As reported by Cointelegraph earlier, industry losses totaled $482 million in the period, with $306 million attributed to phishing attacks and social engineering scams. The SFC also referenced a separate local data point: counterfeiting and fraud incidents represented 57% of security incidents reported to the Hong Kong Cyber Security Accident Coordination Center in 2025.



In remarks carried in the SFC materials, Dr. Ye Zhiheng, executive director of the Intermediaries Department of the China Securities Regulatory Commission, said that protecting customers from increasingly complex counterfeiting and fraud attacks requires comprehensive measures spanning prevention, detection, response, and education.



Real-world phishing losses underscore the risk


The SFC’s tightening reflects a pattern already visible in recent crypto incidents: attackers often use phishing to trick users into signing approvals or connecting wallets to fraudulent pages. These actions can grant attackers control over funds or enable unauthorized transfers.



Cointelegraph reported on Wednesday that a crypto investor lost nearly $1 million after signing a malicious phishing token approval transaction on Ethereum. Earlier coverage also described another case in which a wallet holder reportedly lost $1.65 million after connecting to a fake exchange and signing a malicious contract that gave attackers unlimited access to funds. Researcher Ryan Coleman made the assessment in a post shared on X: RyanColeXBT.



Additional examples cited in earlier reporting highlight the variety of phishing delivery methods. Cointelegraph noted that on May 25, on-chain analyst “b-block” warned scammers used Google to deploy malicious phishing ads impersonating decentralized exchange Uniswap, reportedly stealing more than $400,000 from victims. That earlier report is here: Cointelegraph on fake Uniswap ads.



Broader industry leaders have also called attention to wallet security weaknesses that phishing exploits. Cointelegraph previously connected such risks to discussions from Binance co-founder Changpeng Zhao after major investor losses, including a $50 million address poisoning incident in December 2025. Earlier coverage on that topic is here: Zhao’s remarks and related loss.



Device binding and passkeys: what changes for users and platforms


Although phishing attacks often start with a message that looks legitimate, the SFC’s approach targets the authentication layer that attackers rely on. By requiring phishing-resistant authentication and device binding, the rules are designed to reduce the chances that credentials or approvals obtained through a scam lead directly to account compromise.



For platforms, the practical implication is that they cannot treat multi-factor authentication as a checkbox. The SFC’s explicit ban on SMS/email one-time passwords is especially important because these methods can still be vulnerable to social engineering and interception—scenarios where attackers focus on tricking users into providing the second factor or luring them into fraudulent flows.



Instead, the SFC highlights methods that tie authentication to trusted hardware or cryptographic verification. Passkeys, cryptographic device registration, and hardware security keys all share a common theme: the login mechanism should be harder for attackers to replicate via fraudulent prompts, and stronger controls should ensure that only authorized devices can complete authentication.



For Hong Kong users, the change may eventually translate into a more consistent login experience with fewer fallback authentication options. For investors and traders, stronger login security is not just a compliance issue; it can be a direct determinant of whether account takeover attempts succeed—particularly when platforms integrate authentication with deposit, withdrawal, and trading permissions.



Still, one key uncertainty remains: how quickly different VATPs and online brokers will choose among the SFC’s allowed phishing-resistant alternatives, and how smooth the migration will be for end users. With a 12-month deadline, platform execution and user onboarding processes will likely be crucial in determining how effectively the new rules reduce real-world phishing losses.



With the SFC setting a clear timeline and banning weaker authentication methods, attention should now turn to how quickly Hong Kong platforms roll out passkeys or device-bound cryptographic authentication—and whether regulators will later expand requirements as phishing tactics evolve.



https://www.cryptobreaking.com/hong-kong-regulator-mandates-new/?utm_source=blogger%20&utm_medium=social_auto&utm_campaign=Hong%20Kong%20Regulator%20Mandates%20New%20Anti-Phishing%20Rules%20for%20Crypto%20Firms%20

Comments

Popular posts from this blog

Mastercard Launches AI Agent Pay System With Ripple and Solana Help

Mastercard has launched Agent Pay for Machines, a payments system built for autonomous software agents. The service allows AI agents to send and receive payments without direct human action. It brings Ripple, Coinbase, and Solana Foundation into Mastercard’s push for automated digital commerce. Ripple Brings XRPL and RLUSD to Mastercard’s Agent Pay System Mastercard introduced Agent Pay for Machines on June 10 as a tool for machine-led payments. The system targets high-volume and low-value transactions across business and consumer use cases. It also supports automated settlement between software agents and connected machines. Ripple will support the system through the XRP Ledger and its RLUSD stablecoin. The company said that settlement will become more important as automated commerce grows. It also sees blockchain rails as useful for fast and rule-based payments. RippleX senior vice president Markus Infanger said XRPL and RLUSD support enterprise-grade agent payments. He said the tool...

Coinbase's x402 launches AI agents app store for payments

Coinbase-backed x402 has unveiled Agentic.market, a dedicated marketplace aimed at increasing the usefulness of AI agents by aggregating thousands of apps and services that agents can access without any API keys. The rollout positions the platform as a central hub for agents to discover, evaluate, and deploy capabilities across a standardized payments layer. Coinbase product lead Nick Prince described Agentic.market in a video posted on X as a storefront for discovering, comparing, and using x402 services. The marketplace is designed to give both humans and their AI agents access to a wide range of tools—from data feeds to consumer apps—without the friction of managing API credentials. A storefront for discovering, comparing, and using x402 services. Thousands of services. Zero API keys. Powered by x402. Prince added that the market offers a web interface for humans to browse and assess services, alongside a programming layer that lets AI agents autonomously search, filter, and integra...

Top Cryptocurrencies to Watch: BTC, ETH, BNB, XRP, Solana, Dogecoin & More

Market Analysis and Price Predictions for Key Cryptocurrencies Recent market dynamics reveal a cautious sentiment across the cryptocurrency landscape, with Bitcoin struggling to maintain levels above $90,000 and many major altcoins facing downward pressure. Indicators point toward reduced participation from both institutional and retail investors, raising concerns about a potential consolidation phase after notable gains earlier in the year. Bitcoin has fallen below $87,000, reflecting waning demand at higher price points. Institutional fund flows into BTC and ETH ETFs have turned negative, indicating a period of subdued market activity. Active addresses and Binance deposit/withdrawal activities are at annual lows, suggesting market indecision. Most leading altcoins are approaching support levels, with some poised for potential breakdowns. Tickers mentioned: Bitcoin, Ethereum, Binance Coin, XRP, Solana, Dogecoin, Cardano, Bitcoin Cash, Chainlink, Hyperliquid Sentiment: Neutral to Sli...