Hong Kong SFC Tightens Crypto Custody Rules Amid $3B Global Theft Surge

Hong Kong’s Securities and Futures Commission (SFC) has introduced stricter custody requirements for virtual asset trading platforms (VATPs) in response to a surge in global crypto security breaches that have collectively resulted in over $3 billion in losses during the first half of 2025. The new rules, part of the SFC’s broader “ASPIRe” regulatory roadmap, mandate minimum standards for wallet infrastructure, transaction verification, and access controls, aiming to prevent vulnerabilities exposed in recent incidents [1].

The regulatory intervention comes in the wake of sophisticated attacks that have allowed hackers to move funds in under four seconds—75 times faster than typical exchange alert systems can respond. One recent example is the multi-chain attack on Turkish exchange BtcTurk, which saw an estimated $48 million stolen from its hot wallets across seven blockchain networks, marking the second major breach for the platform in 14 months [1]. Blockchain analytics firm Global Ledger reported that in 68% of cases, stolen funds were moved before the attacks became public knowledge, with one-quarter of funds fully laundered before any alerts were issued [1].

SFC’s Executive Director of Intermediaries, Dr. Eric Yip, emphasized that client asset protection must remain a top priority for all licensed VATPs as the threat landscape continues to evolve. The new standards specifically target vulnerabilities such as compromised third-party wallet solutions, inadequate transaction verification processes, and insufficient access controls over approval devices [1].

The regulatory tightening aligns with intensified global scrutiny of crypto infrastructure. North Korea-linked hacking groups, including Lazarus, have been responsible for $1.6 billion in losses—70% of the total stolen in the first half of 2025. These attacks are often timed to coincide with normal business hours, particularly around noon, when organizations experience staff transitions and reduced vigilance [1]. Infrastructure attacks on centralized exchanges have accounted for 54% of total losses, underscoring the critical need for enhanced custody frameworks [1].

Hong Kong’s regulatory landscape is also evolving rapidly. As of July 30, the SFC had licensed only 11 virtual asset platforms, with nine more under review. The government has accelerated tokenization initiatives, including gold tokens and money market funds, and is exploring real estate and private equity tokenization via the Project Ensemble infrastructure [1]. Despite interest from over 40 companies, only a limited number of stablecoin licenses will be issued initially, according to HKMA Chief Executive Eddie Yue [1].

However, the speed of crypto-related crime and the sophistication of attackers continue to outpace regulatory and legal responses. Only $187 million—4.2% of total losses—has been recovered through law enforcement, white-hat collaborations, and exchange cooperation. This highlights the urgent need for global regulatory coordination to match the cross-border and rapid nature of digital asset theft [1].

Source: [1] Hong Kong SFC Tightens Crypto Custody Rules After Global Security Incidents (https://cryptonews.com/news/hong-kong-sfc-tightens-crypto-custody-rules-after-global-security-incidents/)