Hong Kong SFC Pulls the Plug on OTPs: Passkeys or Pack Up in 12 Months 🔐
Hong Kong's Securities and Futures Commission on Thursday ordered virtual asset trading platforms (VATPs) and internet brokers to eliminate one-time password (OTP) logins delivered via SMS, email or app-based authentication, replacing them with phishing-resistant methods such as passkeys, cryptographically verified registered devices and hardware security keys. Platforms have 12 months to implement the changes, while large brokers must comply immediately. The regulator prohibited the use of OTPs outright, citing the rise in credential-based attacks against crypto users.
The directive responds to a record cybersecurity year in Hong Kong, where the Hong Kong Cyber Security Accident Coordination Center recorded 15,877 incidents in 2025, a 27% increase from the prior year and more than double the 7,752 logged in 2023. Phishing accounted for 57% of those incidents, followed by botnet attacks at 18% and malware at 15%. Globally, phishing and social engineering scams cost the crypto industry $306 million in Q1 2026 out of $482 million in total losses for the quarter.
Phishing incidents continue to mount across the crypto sector. On Wednesday, an investor lost nearly $1 million after signing a malicious token approval transaction on Ethereum ($ETH). Earlier this month, researcher Ryan Coleman reported that a wallet holder lost $1.65 million after connecting to a fake exchange and signing a malicious contract granting attackers unlimited access. On May 25, onchain analyst "b-block" warned that scammers used Google ads impersonating decentralized exchange Uniswap to steal more than $400,000 from victims. A HyperSwap user lost $12,300 to a fake airdrop phishing scam in under 90 seconds. In December 2025, Binance co-founder Changpeng Zhao called for improved wallet security after an investor lost $50 million in an address poisoning scam, following a separate May 2024 case in which a victim lost $71 million to address poisoning before the attacker returned the full amount two weeks later.
The SFC also required platforms to flag suspicious logins, trades and withdrawals and to notify clients of key account events. "To protect customer accounts from increasingly complex and changing counterfeiting and fraud attacks, comprehensive measures must be implemented in conjunction with prevention, detection, response and education," said Dr. Ye Zhiheng, executive director of the Intermediaries Department of the China Securities Regulatory Commission. SFC's Eric Yip said firms need robust authentication paired with fast incident response, adding that prevention alone rarely stops a determined attacker. The circular holds senior management directly liable for client losses tied to weak cybersecurity controls, and firms that miss the deadline risk enforcement action. The SFC had previously flagged OTP risks in February 2025 guidance.
Share Article
Quick Info
Disclaimer: This content is for information and entertainment purposes only. It does not constitute financial, investment, legal, or tax advice. Always do your own research and consult with qualified professionals before making any financial decisions.
See our Terms of Service, Privacy Policy, and Editorial Policy.