The Hong Kong Securities and Futures Commission (SFC) on Thursday issued up-to-date requirements for phishing-resistant authentication methods for virtual asset trading platforms (VATP) and online brokers in the special administrative region.
The up-to-date standards require stronger authentication methods that resist phishing and device-linking, while prohibiting the apply of one-time passwords via text messages, emails or app logins. Platforms must implement the changes within the next 12 months.
The requirements presented stronger alternatives such as access keys, cryptographic-verified registered devices and hardware security keys, which the SFC identified as phishing-resistant solutions.
The measures raise cybersecurity standards in Hong Kong as phishing attacks and social engineering scams increased in the global crypto industry in the first quarter of 2026. Such incidents accounted for $306 million of the industry’s total losses of $482 million during the period.
Spoofing and fraud attacks accounted for 57% of security incidents reported to the Hong Kong Cybersecurity Accident Coordination Center in 2025, according to the announcement.
“To protect customer accounts from increasingly complex and evolving counterfeit and fraud attacks, comprehensive measures combined with prevention, detection, response and education must be implemented,” said Dr. Ye Zhiheng, executive director of the Department of Intermediaries of the China Securities Regulatory Commission.
SFC issues up-to-date anti-phishing requirements for crypto platforms and online brokers. Source: apps.sfc.hk
Phishing attacks threaten the resources of cryptocurrency investors
Phishing attacks and social engineering scams are an urgent global problem for the cryptocurrency industry.
A crypto investor lost nearly $1 million on Wednesday after signing a transaction authorizing a malicious phishing token on Ethereum, the latest reported case of crypto industry losses related to phishing scams, which amounted to $366 million in the first half of 2026.
Earlier this month, a wallet holder reportedly lost $1.65 million after connecting to a bogus exchange and signing a malicious contract in a similar incident, allowing attackers to gain unlimited access to funds, according to researcher Ryan Coleman. he said on Friday.
Related: Belgian police arrested the leader of a phishing gang linked to the theft of PLN 572,000. dollars
On May 25, onchain analyst “b-block” warned that fraudsters used Google to deploy malicious phishing ads impersonating the decentralized exchange Uniswap and stealing more than $400,000 from victims.
Leading cryptocurrency industry figures, including Binance co-founder Changpeng Zhao, have previously called for better wallet security measures to avoid phishing scams, after an investor lost $50 million to an address poisoning scam in December 2025.
In May 2024, one victim lost $71 million to an address poisoning scam in an unusual case that ended with the attacker refunding the full amount two weeks later. The reversal came after mounting pressure from investigators who claimed they had traced the fraudster’s potential IP address.
Warehouse: Dubai Leads Asia’s Cryptocurrency Hubs, Taiwan Passes Cryptocurrency Laws: Asia Express
