Hong Kong Bans SMS and Email Logins for Crypto Platforms: Will Other Regulators Follow?

  • Hong Kong's SFC banned OTP logins for crypto platforms and brokers.
  • Phishing caused 57% of the region's 15,877 cyber incidents in 2025.
  • Operators must adopt passkeys or device binding within 12 months.
Promo

Hong Kong’s securities regulator has banned one-time password logins for crypto trading platforms. The rule targets phishing scams behind a surge in the region’s cybersecurity incidents.

The Securities and Futures Commission issued a circular. It orders internet brokers and crypto trading platforms to drop SMS, email, and app-based OTPs.

Platforms must switch client logins and device binding to passkeys and other phishing-resistant methods. Operators have 12 months to comply, though large brokers must switch immediately. The SFC flagged OTP risks back in February 2025 guidance. This circular now makes that shift mandatory.

Sponsored
Sponsored

Phishing Fuels a Record Year for Cyber Incidents

Hong Kong logged 15,877 cybersecurity incidents in 2025. The SFC says that marks a 27% jump from the prior year. Phishing accounted for 57% of those cases. Botnet attacks followed at 18%, and malware trailed at 15%.

The 2025 total is more than double the 7,752 incidents logged in 2023.

HKCERT Distribution of Incident Reports 2025
HKCERT Distribution of Incident Reports 2025. Source: HKCERT

Global phishing losses tied to crypto wallets hit roughly $306 million during Q1 2026 alone. Consequently, that figure pushed the SFC toward action. Attackers increasingly rely on stolen credentials rather than technical exploits to target crypto users. BeInCrypto tracked a similar pattern this month, as a phishing signature drained $999,999 in USDT from a single Ethereum wallet.

HKCERT Security Incident Reports 2025
HKCERT Security Incident Reports 2025. Source: HKCERT

New Rules Push Crypto Platforms Toward Passkeys

Platforms must flag suspicious logins, trades, and withdrawals. They must notify clients of key account events, too. The SFC’s Eric Yip said firms need robust authentication paired with fast incident response. Still, prevention alone rarely stops a determined attacker, he added.

Meanwhile, decentralized crypto platforms face similar threats. A fake airdrop phishing scam recently drained $12,300 from a HyperSwap user in under 90 seconds. Similarly, a fake Uniswap phishing site pulled roughly $400,000 from multiple wallets around the same time. These cases show the OTP ban addresses only part of a broader credential theft problem facing the crypto industry.

Global Regulators Face Same Phishing Pressure

The SFC now holds senior management directly liable for client losses. In addition, weak cybersecurity controls will trigger that liability, a stricter standard than prior guidance. Firms that miss the 12-month deadline risk enforcement action and reputational damage across the crypto sector. Large brokers face immediate scrutiny under the new deadline.

Regulators elsewhere face the same phishing pressure. The FBI’s global cybercrime crackdown and Tether’s crypto crime asset freezes with TRON’s T3 unit both target networks built on stolen credentials. Hong Kong’s ban now raises a clear question for peers in Singapore, the UK, and beyond. Will other regulators follow with their own phishing-resistant mandates, or wait for losses to mount first?


To read the latest cryptocurrency market analysis from BeInCrypto, click here.

Disclaimer

BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.

Sponsored
Sponsored