|

Hong Kong Bans SMS and Email Logins for Crypto Platforms: Will Other Regulators Follow?

Hong Kong’s securities regulator has banned one-time password logins for crypto buying and selling platforms. The rule targets phishing scams behind a surge within the area’s cybersecurity incidents.

The Securities and Futures Commission issued a circular. It orders web brokers and crypto buying and selling platforms to drop SMS, e mail, and app-based OTPs.

Platforms should swap consumer logins and gadget binding to passkeys and different phishing-resistant strategies. Operators have 12 months to conform, although giant brokers should swap instantly. The SFC flagged OTP dangers again in February 2025 steerage. This round now makes that shift obligatory.

Phishing Fuels a Record Year for Cyber Incidents

Hong Kong logged 15,877 cybersecurity incidents in 2025. The SFC says that marks a 27% soar from the prior yr. Phishing accounted for 57% of these instances. Botnet assaults adopted at 18%, and malware trailed at 15%.

The 2025 whole is greater than double the 7,752 incidents logged in 2023.

HKCERT Distribution of Incident Reports 2025. Source: HKCERT

Global phishing losses tied to crypto wallets hit roughly $306 million throughout Q1 2026 alone. Consequently, that determine pushed the SFC towards motion. Attackers more and more depend on stolen credentials slightly than technical exploits to focus on crypto customers. BeInCrypto tracked an identical sample this month, as a phishing signature drained $999,999 in USDT from a single Ethereum pockets.

HKCERT Security Incident Reports 2025. Source: HKCERT

New Rules Push Crypto Platforms Toward Passkeys

Platforms should flag suspicious logins, trades, and withdrawals. They should notify purchasers of key account occasions, too. The SFC’s Eric Yip mentioned corporations want sturdy authentication paired with quick incident response. Still, prevention alone not often stops a decided attacker, he added.

Meanwhile, decentralized crypto platforms face comparable threats. A fake airdrop phishing scam just lately drained $12,300 from a HyperSwap consumer in below 90 seconds. Similarly, a fake Uniswap phishing site pulled roughly $400,000 from a number of wallets across the identical time. These instances present the OTP ban addresses solely a part of a broader credential theft drawback going through the crypto trade.

Global Regulators Face Same Phishing Pressure

The SFC now holds senior administration immediately liable for consumer losses. In addition, weak cybersecurity controls will set off that legal responsibility, a stricter customary than prior steerage. Firms that miss the 12-month deadline threat enforcement motion and reputational injury throughout the crypto sector. Large brokers face instant scrutiny below the brand new deadline.

Regulators elsewhere face the identical phishing stress. The FBI’s global cybercrime crackdown and Tether’s crypto crime asset freezes with TRON’s T3 unit each goal networks constructed on stolen credentials. Hong Kong’s ban now raises a transparent query for friends in Singapore, the UK, and past. Will different regulators comply with with their very own phishing-resistant mandates, or wait for losses to mount first?

The publish Hong Kong Bans SMS and Email Logins for Crypto Platforms: Will Other Regulators Follow? appeared first on BeInCrypto.

Similar Posts