Hong Kong’s Securities and Futures Commission (SFC) has recently implemented stringent new custody standards for virtual asset trading platforms in response to a series of global security incidents that led to over $3 billion in cryptocurrency losses in the first half of 2025.
The new guidelines outlined by the SFC set forth minimum requirements for wallet infrastructure, transaction verification, and access controls. These standards are part of the regulator’s efforts to prepare the industry for advanced custody technologies under its “ASPIRe” roadmap.
The move by the SFC comes amidst a concerning trend of crypto security breaches, with hackers managing to steal funds in a matter of seconds, outpacing the response times of exchange alert systems by 75 times. Just recently, on August 14, Turkish exchange BtcTurk fell victim to a suspected $48 million multi-chain attack on its hot wallets across seven blockchain networks, marking the second major breach for the exchange in over a year.
In the first half of 2025, global crypto losses amounted to $2.47 billion across 344 incidents, with wallet-related breaches contributing to $1.7 billion in losses from just 34 attacks. The largest single loss was recorded by the Bybit exchange at $1.5 billion in February, with infrastructure attacks making up 80% of stolen funds due to compromised private keys and inadequate access controls.
The Executive Director of Intermediaries at the SFC, Dr Eric Yip, stressed the importance of prioritizing client asset protection in light of the heightened global risks. The new custody standards aim to address vulnerabilities such as compromised third-party wallet solutions, insufficient transaction verification processes, and inadequate access controls over approval devices.
In a joint warning issued by the SFC and the Hong Kong Monetary Authority, investors were cautioned against making decisions based on misleading prospects of gains from short-term price volatility linked to stablecoin licensing speculation. Despite engaging with numerous interested parties, only a small number of stablecoin licenses will be granted initially, with 11 virtual asset platforms already licensed and nine under review as of July 30.
As the regulatory response intensifies in the face of growing attack sophistication, recovery efforts continue to lag behind. Hackers were found to move funds in 68% of cases before attacks were made public, with North Korea-linked groups like Lazarus responsible for $1.6 billion or 70% of total stolen amounts in the first half of 2025. Recovery efforts have only managed to recoup $187 million, representing a mere 4.2% of stolen funds.
Additionally, physical violence against crypto holders has seen a concerning uptick, with 32 “wrench attacks” reported globally in 2025. This trend, particularly prevalent in France, involves attackers targeting family members of crypto holders through kidnapping and mutilation attempts to extort ransom payments.
The SFC’s proactive measures to tighten crypto custody rules in response to the global security incidents demonstrate a commitment to safeguarding investor assets and enhancing industry resilience. The cryptocurrency landscape continues to evolve rapidly, and regulators are taking steps to adapt to the escalating threats posed by cybercriminals in order to protect the integrity of virtual asset trading platforms.