The Hong Kong Securities and Futures Commission has tightened identity verification rules for virtual asset trading platforms and online brokers. The new regulation requires more resistant methods against phishing attacks and prohibits the use of SMS, e-mail and application-based single-use passwords. The institution gave industry players 12 months to implement these changes.
What methods do the new rules highlight?
Within the scope of the regulation, pass keys, registered devices paired with cryptographic verification and hardware security keys stand out. SFC listed these tools among the solutions that are resistant to phishing attempts. The aim is to reduce the risks posed by protecting user accounts only with passwords or one-time codes.
Mini-dictionary: A passkey is a login method that uses device-based cryptographic authentication instead of a password. The hardware security key provides additional protection against fraudulent sites and links by verifying identity through a physical device.
The SFC acts as the primary regulatory body overseeing Hong Kong’s capital markets. The Commission’s latest step aims to raise the bar on cybersecurity against increasing identity fraud and fraud attempts, especially in digital asset transactions.
Executive Director of the Intermediaries Department of the China Securities Regulatory Commission, Dr. Ye Zhiheng stated that prevention, detection, response and training steps should be implemented together to protect customer accounts against increasingly sophisticated fraud and fraud attacks.
The increase in cyber attacks draws attention
In the first quarter of 2026, there was an increase in attacks caused by phishing and social engineering in the global crypto industry. These events accounted for $306 million of the total industry loss of $482 million recorded in the same period. According to data from the Hong Kong Cybersecurity Incident Coordination Center, fraud and fraud attacks accounted for 57% of security incidents reported in 2025.
Recent reported events in the crypto market also support this trend. On Wednesday, an investor lost nearly $1 million after signing a malicious token validation transaction on Ethereum. In the first half of 2026, total losses from phishing-related fraud alone reached $366 million.
Recent cases increase the pressure
Earlier in the month, it was reported that a wallet owner lost $1.65 million after connecting to a fake exchange and signing a malicious contract. Researcher Ryan Coleman said that with this transaction, the attackers gained unrestricted access to the funds. At the end of May, on-chain analyst b-block also announced that fraudsters were spreading malicious phishing links imitating Uniswap through Google ads, causing a loss of over 400 thousand dollars.
Leading names in the industry have long emphasized the need to strengthen wallet security. Some people, including Binance co-founder Changpeng Zhao, had called for stronger protection measures after an investor lost $ 50 million through address poisoning in December 2025.
In an extraordinary incident that occurred in May 2024, a user lost 71 million dollars due to an address poisoning attack, and the attacker returned all assets two weeks later. This comeback was influenced by the fact that investigators announced that they were tracking the suspect’s possible IP address.


