Hong Kong’s securities regulator has banned one-time password logins for crypto buying and selling platforms. The rule targets phishing scams behind a surge within the area’s cybersecurity incidents.
The Securities and Futures Fee issued a round. It orders web brokers and crypto buying and selling platforms to drop SMS, e mail, and app-based OTPs.
Platforms should swap shopper logins and system binding to passkeys and different phishing-resistant strategies. Operators have 12 months to conform, although giant brokers should swap instantly. The SFC flagged OTP dangers again in February 2025 steering. This round now makes that shift necessary.
Phishing Fuels a Document Yr for Cyber Incidents
Hong Kong logged 15,877 cybersecurity incidents in 2025. The SFC says that marks a 27% soar from the prior yr. Phishing accounted for 57% of these circumstances. Botnet assaults adopted at 18%, and malware trailed at 15%.
The 2025 whole is greater than double the 7,752 incidents logged in 2023.
World phishing losses tied to crypto wallets hit roughly $306 million throughout Q1 2026 alone. Consequently, that determine pushed the SFC towards motion. Attackers more and more depend on stolen credentials moderately than technical exploits to focus on crypto customers. BeInCrypto tracked an identical sample this month, as a phishing signature drained $999,999 in USDT from a single Ethereum pockets.
New Guidelines Push Crypto Platforms Towards Passkeys
Platforms should flag suspicious logins, trades, and withdrawals. They need to notify purchasers of key account occasions, too. The SFC’s Eric Yip mentioned corporations want sturdy authentication paired with quick incident response. Nonetheless, prevention alone not often stops a decided attacker, he added.
In the meantime, decentralized crypto platforms face comparable threats. A faux airdrop phishing rip-off lately drained $12,300 from a HyperSwap consumer in below 90 seconds. Equally, a faux Uniswap phishing web site pulled roughly $400,000 from a number of wallets across the similar time. These circumstances present the OTP ban addresses solely a part of a broader credential theft drawback going through the crypto business.
World Regulators Face Identical Phishing Stress
The SFC now holds senior administration straight answerable for shopper losses. As well as, weak cybersecurity controls will set off that legal responsibility, a stricter normal than prior steering. Companies that miss the 12-month deadline threat enforcement motion and reputational harm throughout the crypto sector. Massive brokers face instant scrutiny below the brand new deadline.
Regulators elsewhere face the identical phishing stress. The FBI’s world cybercrime crackdown and Tether’s crypto crime asset freezes with TRON’s T3 unit each goal networks constructed on stolen credentials. Hong Kong’s ban now raises a transparent query for friends in Singapore, the UK, and past. Will different regulators comply with with their very own phishing-resistant mandates, or await losses to mount first?
The submit Hong Kong Bans SMS and Electronic mail Logins for Crypto Platforms: Will Different Regulators Comply with? appeared first on BeInCrypto.