Hong Kong Bans OTP Logins for Crypto Platforms
Hong Kong Bans SMS and Email Logins for Crypto Platforms – New Authentication Rules Target Phishing-Driven Losses
Key Takeaways
- Hong Kong’s Securities and Futures Commission has banned SMS, email, and app-based one-time password logins for crypto trading platforms and internet brokers.
- Platforms must adopt passkeys or other phishing-resistant authentication methods within 12 months, while large brokers must comply immediately.
- Hong Kong recorded 15,877 cybersecurity incidents in 2025, a 27 percent year-on-year increase, with phishing accounting for 57 percent of cases.
- Senior management can now be held directly liable for client losses resulting from weak cybersecurity controls.
Hong Kong Regulator Makes Phishing-Resistant Logins Mandatory
Hong Kong’s Securities and Futures Commission, or SFC, has issued a circular requiring internet brokers and crypto trading platforms to discontinue the use of one-time passwords delivered via SMS, email, or authentication apps. The regulator has ordered firms to replace these methods with passkeys or other authentication solutions designed to resist phishing attacks.
Under the new rule, platforms must implement phishing-resistant login systems and apply similar protections to device binding procedures. Operators have 12 months to comply with the directive. However, large brokers are expected to switch immediately and face closer scrutiny under the updated framework.
The SFC had previously highlighted the risks of one-time password systems in guidance published in February 2025. The latest circular converts that earlier warning into a binding requirement.
For users of crypto trading services, the change means that familiar login methods based on temporary codes sent by text message or email will be phased out in favor of alternative authentication tools that are less vulnerable to credential theft.
Cybersecurity Incidents Surge as Phishing Dominates
The regulatory move follows a marked increase in reported cybersecurity incidents in Hong Kong. According to figures referenced by the SFC, the city recorded 15,877 cybersecurity incidents in 2025. This represents a 27 percent increase compared to the previous year.
Phishing was identified as the leading cause, accounting for 57 percent of reported cases. Botnet attacks made up 18 percent, while malware incidents represented 15 percent. The 2025 total is more than double the 7,752 incidents logged in 2023, indicating a sharp upward trend over a two-year period.
The SFC also cited global losses linked to crypto wallet phishing. In the first quarter of 2026 alone, phishing-related losses tied to crypto wallets reached approximately 306 million US dollars. Attackers increasingly rely on stolen credentials rather than exploiting technical vulnerabilities in blockchain protocols.
Recent examples illustrate this pattern. A phishing signature reportedly drained 999,999 USDT from a single Ethereum wallet. In separate cases, a fake airdrop scam removed 12,300 dollars from a HyperSwap user in less than 90 seconds, while a counterfeit Uniswap website extracted roughly 400,000 dollars from multiple wallets. These incidents reflect a broader shift toward social engineering tactics aimed at obtaining login credentials and authorizations.
New Compliance Duties and Management Liability
Beyond the authentication changes, the SFC circular introduces additional compliance obligations. Platforms must monitor and flag suspicious logins, trades, and withdrawal requests. They are also required to notify clients about key account events, reinforcing transparency around account activity.
The regulator has placed explicit responsibility on senior management. According to the SFC, weak cybersecurity controls can trigger direct liability for client losses. This marks a stricter standard compared to prior guidance and increases the governance burden on licensed operators.
Firms that fail to meet the 12-month implementation deadline risk enforcement action and reputational consequences within the crypto sector. Large brokers, which must comply immediately, face accelerated oversight.
For crypto platforms serving Hong Kong users, the changes affect both technical infrastructure and internal risk management. Authentication systems, incident response procedures, and client communication processes will need to align with the new standards.
Global Context: Regulators Respond to Credential-Based Crime
The SFC’s action comes amid wider enforcement efforts targeting credential-based cybercrime. Authorities in other jurisdictions are also addressing phishing and account takeover schemes. The US Federal Bureau of Investigation has conducted a global cybercrime crackdown, while Tether has worked with TRON’s T3 unit to freeze crypto assets linked to criminal activity.
These measures focus on networks that rely on stolen credentials to access wallets and trading accounts. The Hong Kong ban on one-time passwords addresses one specific vulnerability within this broader landscape.
At the same time, recent incidents involving decentralized platforms show that phishing risks are not limited to regulated intermediaries. Fake websites and fraudulent airdrops have been used to obtain wallet approvals and drain funds without breaching the underlying blockchain infrastructure.
For users of crypto trading platforms, sportsbooks, or other iGaming services that rely on digital asset payments, the development underscores the operational impact of cybersecurity policy. Login procedures and account recovery processes may change as operators adapt to phishing-resistant technologies.
Our Assessment
The SFC’s decision makes phishing-resistant authentication mandatory for crypto trading platforms and internet brokers in Hong Kong. The move follows a significant rise in cybersecurity incidents, with phishing representing the majority of reported cases in 2025. By banning SMS, email, and app-based one-time passwords and introducing direct management liability, the regulator has tightened technical and governance standards. The measure directly affects how platforms structure user logins, monitor suspicious activity, and manage accountability for client asset protection.
