Hong Kong’s securities regulator has banned one-time password logins for crypto trading platforms. The rule targets phishing scams behind a surge in the region’s cybersecurity incidents.
The Securities and Futures Commission issued a circular. It orders internet brokers and crypto trading platforms to drop SMS, email, and app-based OTPs.
Platforms must switch client logins and device binding to passkeys and other phishing-resistant methods. Operators have 12 months to comply, though large brokers must switch immediately. The SFC flagged OTP risks back in February 2025 guidance. This circular now makes that shift mandatory.
Phishing Fuels a Record Year for Cyber Incidents
Hong Kong logged 15,877 cybersecurity incidents in 2025. The SFC says that marks a 27% jump from the prior year. Phishing accounted for 57% of those cases. Botnet attacks followed at 18%, and malware trailed at 15%.
The 2025 total is more than double the 7,752 incidents logged in 2023.
Global phishing losses tied to crypto wallets hit roughly $306 million during Q1 2026 alone. Consequently, that figure pushed the SFC toward action. Attackers increasingly rely on stolen credentials rather than technical exploits to target crypto users. BeInCrypto tracked a similar pattern this month, as a phishing signature drained $999,999 in USDT from a single Ethereum wallet.
New Rules Push Crypto Platforms Toward Passkeys
Platforms must flag suspicious logins, trades, and withdrawals. They must notify clients of key account events, too. The SFC’s Eric Yip said firms need robust authentication paired with fast incident response. Still, prevention alone rarely stops a determined attacker, he added.
Meanwhile, decentralized crypto platforms face similar threats. A fake airdrop phishing scam recently drained $12,300 from a HyperSwap user in under 90 seconds. Similarly, a fake Uniswap phishing site pulled roughly $400,000 from multiple wallets around the same time. These cases show the OTP ban addresses only part of a broader credential theft problem facing the crypto industry.
Global Regulators Face Same Phishing Pressure
The SFC now holds senior management directly liable for client losses. In addition, weak cybersecurity controls will trigger that liability, a stricter standard than prior guidance. Firms that miss the 12-month deadline risk enforcement action and reputational damage across the crypto sector. Large brokers face immediate scrutiny under the new deadline.
Regulators elsewhere face the same phishing pressure. The FBI’s global cybercrime crackdown and Tether’s crypto crime asset freezes with TRON’s T3 unit both target networks built on stolen credentials. Hong Kong’s ban now raises a clear question for peers in Singapore, the UK, and beyond. Will other regulators follow with their own phishing-resistant mandates, or wait for losses to mount first?
The post Hong Kong Bans SMS and Email Logins for Crypto Platforms: Will Other Regulators Follow? appeared first on BeInCrypto.






