Crypto Platforms in Hong Kong Face Mandate for Enhanced Phishing Protection
Cryptocurrency exchanges and digital brokers in Hong Kong have been directed by the financial regulator to implement advanced anti-phishing authentication systems over the coming year.

On Thursday, the Hong Kong Securities and Futures Commission (SFC) announced new mandates requiring virtual asset trading platforms (VATPs) and online brokers operating within the special administrative region to adopt phishing-resistant authentication technologies.
These newly established standards demand more robust authentication mechanisms that resist phishing attempts and incorporate device binding protocols, while simultaneously banning the utilization of one-time passwords delivered via SMS, email or application-based authentication systems. Virtual asset platforms are given a 12-month window to comply with these new directives.
Among the requirements are more secure alternatives including passkeys, cryptographically verified registered devices and physical hardware security keys, all of which the SFC has characterized as solutions resistant to phishing attempts.
These directives elevate Hong Kong's cybersecurity framework amid a surge in phishing attacks and social engineering schemes targeting the global cryptocurrency sector during the first quarter of 2026. Such attack vectors were responsible for $306 million of the industry's aggregate losses totaling $482 million throughout that timeframe.
According to the announcement, counterfeiting and fraud-based attacks represented 57% of all security incidents reported to the Hong Kong Cyber Security Accident Coordination Center throughout 2025.
To protect customer accounts from increasingly complex and changing counterfeiting and fraud attacks, comprehensive measures must be implemented in conjunction with prevention, detection, response and education.
Dr. Ye Zhiheng, executive director of the Intermediaries Department of the China Securities Regulatory Commission
Phishing attacks threaten crypto investor holdings
Social engineering scams and phishing attacks represent an urgent worldwide challenge confronting the cryptocurrency industry.
Just Wednesday, a cryptocurrency holder lost approximately $1 million following the signing of a malicious token approval transaction on Ethereum, marking the most recent reported case in a series of phishing scam incidents that have resulted in $366 million in crypto industry losses during the first six months of 2026.
Earlier in the month, a digital wallet owner purportedly lost $1.65 million after establishing a connection to a fraudulent exchange and authorizing a malicious smart contract in a comparable incident, which granted attackers unrestricted access to the funds, according to researcher Ryan Coleman's statement on Friday.
On May 25, onchain analyst "b-block" issued a warning that fraudsters leveraged Google to distribute malicious phishing advertisements masquerading as decentralized exchange Uniswap, allegedly draining more than $400,000 from victims.
Prominent crypto industry figures, including Binance co-founder Changpeng Zhao, have previously advocated for improved wallet security protocols to prevent phishing scams, following an incident in December 2025 where an investor lost $50 million in an address poisoning scam.
In May 2024, one victim lost $71 million to an address poisoning scam in an unusual case that ended with the attacker returning the full amount two weeks later. The reversal followed mounting pressure from investigators who claimed to have tracked the scammer's potential IP address.