Finst

Hong Kong Bans SMS and Email Logins for Crypto Platforms

The SFC wants to reduce phishing and account takeovers after a record year of cyber incidents. Platforms will need to move to passkeys and other phishing-resistant logins.

Hong Kong Bans SMS and Email Logins for Crypto Platforms

Key Takeaways

  • Hong Kong’s SFC is banning OTP logins through SMS, email, and apps for crypto platforms and online brokers.
  • Platforms will have to switch to passkeys and other phishing-resistant methods, and major brokers must do it right away.
  • The move follows 15,877 cybersecurity incidents in Hong Kong in 2025, with phishing making up 57 percent of them.

Hong Kong’s Securities and Futures Commission is moving to phase out one-time password logins sent by SMS, email, and apps for crypto platforms and online brokers. The goal is to reduce phishing after a year of record cyber activity in the region. Platforms will need to adopt passkeys and other phishing-resistant login methods, while major brokers must comply immediately.

Stricter Login Rules

To enforce the change, the Securities and Futures Commission has issued a circular. Under the new rules, providers must link client logins to device binding and actively detect suspicious login attempts, trades, and withdrawals. Customers also have to be alerted more quickly when important account activity takes place.

The regulator said firms have 12 months to meet the new standards. Major brokers, however, are expected to comply right away. The SFC had already flagged the risks of OTP logins in February 2025, but it is now turning that warning into a formal requirement.

Phishing Is Driving the Move

The tougher stance follows 15,877 cybersecurity incidents in Hong Kong in 2025, a 27 percent increase from the previous year. Phishing was behind 57 percent of those cases. Botnets accounted for 18 percent, while malware made up 15 percent. Back in 2023, the total number of incidents was 7,752.

The SFC says the trend reflects growing pressure on the crypto industry as well. Across the market, phishing losses tied to crypto wallets in the first quarter of 2026 rose to about $306 million (€268 million). According to the regulator, attackers are relying more on stolen login details than on technical hacks.

What This Means for Crypto

For European crypto readers, the main point is that Hong Kong is placing more of the burden on service providers. The SFC says senior management could be held directly responsible for customer losses if security is not up to standard. That fits into a wider global push by regulators to crack down on phishing and account takeovers.

Hong Kong’s regulator has also previously blacklisted fake websites that posed as licensed crypto exchanges. In other words, this is about more than login security. It is part of a broader effort to build stronger defenses against scams and abuse around trading platforms.


Disclaimer: This content is for informational purposes only and does not constitute financial, investment, legal, or tax advice. The information provided may be incomplete, inaccurate, or outdated and should not be relied upon as such. Nothing on this website should be considered a recommendation to buy, sell, or hold any cryptocurrency. Investing in crypto-assets involves risk of loss.