
Hong Kong's securities regulator set a one-year deadline for licensed crypto exchanges and online brokers to replace SMS OTPs with passkeys or device binding.
Alpha Score of 76 reflects strong overall profile with strong momentum, strong value, strong quality, moderate sentiment.
Hong Kong’s Securities and Futures Commission told licensed crypto trading platforms and online brokers to stop using SMS-based authentication within the next year. The new cybersecurity rules, announced Thursday, require firms to shift to phishing-resistant login methods.
The SFC identified passkeys, device binding using cryptographic verification, and hardware security keys as acceptable replacements. Licensed virtual asset trading platforms and online brokers have 12 months to complete the transition.
The mandate follows a period of heavy phishing losses across the crypto industry. Data cited by the SFC showed counterfeiting and fraud accounted for 57% of security incidents reported to Hong Kong’s Cyber Security Accident Coordination Center during 2025. Industry-wide, phishing attacks and social engineering scams drove $306 million of the crypto sector’s $482 million in total security losses in the first quarter of 2026, according to industry data.
Individual cases underscore the scale of the problem. A crypto investor lost nearly $1 million after approving a malicious token transaction on Ethereum, contributing to phishing-related losses that reached $366 million in the first half of 2026. Separately, researcher Ryan Coleman reported a wallet holder lost about $1.65 million after connecting to a fake exchange and signing a contract that gave attackers unlimited access. In May, on-chain analyst b-block warned that scammers used Google ads to impersonate Uniswap, stealing more than $400,000.
Binance co-founder Changpeng Zhao previously urged better security practices after an investor lost $50 million in an address-poisoning scam in December 2025.
The SFC’s move is the latest in a series of regulatory steps as Hong Kong expands its regulated digital asset market. Earlier this week, the SFC announced changes to the Certified Virtual Asset Platform Practitioner programme, separating the certification exam from the mandatory course and lowering fees. The program, administered by the Hong Kong Securities and Investment Institute, covers blockchain fundamentals, digital asset products, and anti-money laundering compliance.
Last month, the Hong Kong Monetary Authority confirmed that the first regulated stablecoins are expected to enter circulation between mid-2026 and the second half of 2026. The HKMA granted issuer licenses to two bank-backed institutions in April. The agency said the rollout follows the institutions’ existing business plans, and the licensing framework aims to support financial innovation while protecting users.
Dr. Ye Zhiheng, executive director of the Intermediaries Department of the China Securities Regulatory Commission, said financial institutions need coordinated prevention, detection, response, and education measures to protect customer accounts from increasingly sophisticated fraud attacks.
The SFC’s authentication mandate applies to all licensed virtual asset trading platforms and online brokers. The regulator said the stronger requirements respond directly to the rise in phishing and fraud affecting financial platforms. Licensed firms have until the first half of 2027 to comply.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.