Login
Sign Up
Woofun AI reports that the Hong Kong Securities and Futures Commission (SFC) has mandated virtual asset trading platforms (VATPs) and online brokers to adopt phishing-resistant authentication methods, explicitly prohibiting one-time passwords via SMS, email, or app-based logins within a 12 months implementation timeline. The regulatory directive enforces device binding and requires stronger alternatives such as passkeys, registered devices with cryptographic verification, and hardware security keys to secure user accounts against increasingly sophisticated threats.
The timing of this mandate coincides with a sharp escalation in global industry vulnerabilities, where phishing attacks and social engineering scams accounted for $306 million of the $482 million total industry losses recorded in the first quarter of 2026.
Woofun AI data shows that these specific attack vectors now represent the dominant source of capital erosion, prompting regulators to elevate cybersecurity standards beyond traditional compliance frameworks. The SFC identified these technical upgrades as essential phishing-resistant solutions to mitigate the rising frequency of unauthorized access incidents.
Locally, the urgency is underscored by statistics from the Hong Kong Cyber Security Accident Coordination Center, which recorded that counterfeiting and fraud attacks comprised 57% of all security incidents reported in 2025. Dr. Ye Zhiheng, executive director of the Intermediaries Department of the China Securities Regulatory Commission, emphasized that protecting customer accounts requires comprehensive measures integrating prevention, detection, response, and education. This holistic approach aims to address the complex and evolving nature of digital fraud that continues to target retail and institutional participants alike.
Recent high-value incidents in the first half of 2026 further illustrate the severity of the threat landscape, with total phishing-related losses reaching $366 million. On Wednesday, a crypto investor suffered a nearly $1 million loss after approving a malicious phishing token approval transaction on Ethereum. Earlier this month, researcher Ryan Coleman noted on Friday that a wallet holder lost $1.65 million after connecting to a fake exchange and signing a malicious contract that granted attackers unlimited access to their funds.
Specific scam vectors have also evolved to exploit trusted interfaces, such as when onchain analyst "b-block" warned on May 25 that scammers used Google to deploy malicious phishing ads impersonating decentralized exchange Uniswap, stealing more than $400,000 from victims. Industry leaders like Binance co-founder Changpeng Zhao have long advocated for enhanced wallet security measures, particularly following a December 2025 incident where an investor lost $50 million in an address poisoning scam. These recurring exploits highlight the persistent gaps in user-side security protocols despite broader industry awareness.
Historical precedents suggest that while some cases may see partial recovery, the systemic risk remains high. In May 2024, a victim lost $71 million to an address poisoning scam, but the attacker returned the full amount two weeks later after investigators tracked the scammer’s potential IP address. This rare resolution underscores the difficulty of recovering funds in most cases, reinforcing the necessity of proactive regulatory mandates like the SFC’s new authentication requirements.