Hong Kong regulator orders new anti-phishing measures for crypto platforms
Summary
Hong Kong’s Securities and Futures Commission (SFC) has ordered virtual asset trading platforms and online brokers to adopt phishing-resistant authentication and device-binding controls within 12 months. The new rules ban SMS, email, and app-based one-time passwords for logins and favor stronger methods such as passkeys, cryptographic device registration, and hardware security keys. The move is meant to raise cybersecurity standards as phishing and social-engineering attacks continue to drive major crypto losses worldwide. Recent industry data cited in the notice shows these attacks caused most losses in early 2026, underscoring the need for stronger account protection, detection, response, and user education.
