Hong Kong SFC Mandates Phishing-Resistant Authentication for Crypto Platforms

Hong Kong SFC Mandates Phishing-Resistant Authentication for Crypto Platforms

First seen 9 Jul 2026, 18:11 UTC KucoinBitget 83% similarity 69.5

Article Content

Browse articles
ThreatCluster

On July 9, 2026, the Hong Kong Securities and Futures Commission (SFC) issued new regulations requiring virtual asset trading platforms (VATPs) and online brokers to implement phishing-resistant authentication methods. The SFC prohibits one-time passwords (OTPs) via SMS, email, or app-based logins, mandating alternatives like passkeys and device binding within 12 months. This decision comes amid a rise in phishing attacks, which accounted for $306 million of the $482 million total losses in the crypto industry in Q1 2026. In 2025, spoofing attacks represented 57% of reported security incidents in Hong Kong. The new measures aim to enhance customer account protection against increasingly sophisticated fraud tactics. The SFC's directive reflects a growing global concern over phishing scams in the cryptocurrency sector.

Key Points: • Hong Kong's SFC mandates stronger authentication methods for crypto platforms. • Phishing attacks accounted for $306 million of crypto losses in Q1 2026. • The new regulations prohibit OTPs and require alternatives like passkeys within 12 months.

ThreatCluster AI

Timeline

2025-01-01
Phishing attacks surge in crypto industry
Phishing scams led to $306 million in losses in Q1 2026, highlighting vulnerabilities in the sector.
Bitget
2025-12-31
57% of security incidents due to spoofing
Hong Kong Cyber Security Incident Coordination Centre reported that spoofing attacks accounted for 57% of incidents in 2025.
Kucoin
2026-07-09
SFC issues new anti-phishing regulations
The SFC requires crypto platforms to adopt phishing-resistant methods and phase out OTPs within 12 months.
Bitget

Community

Browse all →