Hong Kong Regulator Cracks Down on Crypto Phishing with New Security Rules
The Hong Kong Securities and Futures Commission (SFC) has introduced new rules to enhance security for virtual asset trading platforms (VATPs) and online brokers. The regulations aim to reduce account takeovers on these platforms by requiring stronger phishing-resistant authentication methods and device binding.
According to the SFC, platforms in Hong Kong must upgrade their authentication controls to make logins more resilient to phishing and social engineering tactics. One-time passwords delivered via SMS, email, or app-based logins are prohibited under the new rules. Instead, stronger alternatives such as passkeys, registered devices with cryptographic verification, and hardware security keys will be used.
The SFC has given companies 12 months to implement these changes. The regulator frames the updates as a key part of raising local cybersecurity standards, which have been intensified by rising phishing activity globally. In the first quarter of this year, phishing-related tactics accounted for a significant portion of reported industry losses, totaling $482 million, with $306 million attributed to phishing attacks and social engineering scams.
The SFC's move reflects growing concerns about phishing and social engineering incidents in the crypto industry. Attacks often start with messages that look legitimate but aim to trick users into signing approvals or connecting wallets to fraudulent pages. This can grant attackers control over funds or enable unauthorized transfers.




