Hong Kong's SFC Just Kicked SMS OTPs to the Curb — Phishers, Find a New Side Hustle 🎣
Hong Kong's Securities and Futures Commission on Thursday ordered virtual asset trading platforms and online brokers operating in the special administrative region to deploy phishing-resistant authentication and to retire one-time passwords sent via SMS, email or app-based login channels. Platforms have 12 months to comply. Permitted alternatives include passkeys, devices registered through cryptographic verification, and hardware security keys, all of which the SFC described as phishing-resistant solutions.
The directive lands against a backdrop of mounting industry losses. Phishing attacks and social engineering scams accounted for $306 million of the $482 million in total crypto losses recorded in the first quarter of 2026, according to figures cited in the SFC's announcement. Counterfeiting and fraud incidents made up 57% of the security events reported to the Hong Kong Cyber Security Accident Coordination Center in 2025.
"To protect customer accounts from increasingly complex and changing counterfeiting and fraud attacks, comprehensive measures must be implemented in conjunction with prevention, detection, response and education," said Dr. Ye Zhiheng, executive director of the Intermediaries Department of the China Securities Regulatory Commission, as quoted in the SFC release.
Individual incidents continue to pile up. On Wednesday, a crypto investor lost nearly $1 million after signing a malicious phishing token approval transaction on Ethereum ($ETH), contributing to first-half 2026 phishing-related losses of $366 million. Earlier in the same week, researcher Ryan Coleman reported a wallet holder lost $1.65 million after connecting to a fake exchange and signing a malicious contract that granted attackers unlimited access to the funds. On May 25, onchain analyst "b-block" warned that scammers had used Google to run malicious phishing ads impersonating the Uniswap decentralized exchange, stealing more than $400,000 from victims.
Industry figures, including Binance co-founder Changpeng Zhao, have previously called for stronger wallet security after an investor lost $50 million in an address poisoning scam in December 2025. A separate May 2024 address poisoning case resulted in a $71 million loss, unusual in that the attacker returned the full sum two weeks later, according to reports. The SFC's new rules, published at apps.sfc.hk, set a 12-month clock for platforms to overhaul their authentication infrastructure.
Share Article
Quick Info
Disclaimer: This content is for information and entertainment purposes only. It does not constitute financial, investment, legal, or tax advice. Always do your own research and consult with qualified professionals before making any financial decisions.
See our Terms of Service, Privacy Policy, and Editorial Policy.