After a Binance API key leak, the first step is to immediately delete the key in the app (a 5-second operation, globally effective), then check recent API call logs to find abuse records, change the account password, and strengthen future API security settings. The possibility of recovering funds from API abuse is slightly higher than if the account itself is stolen, because attackers usually use wash trading for arbitrage rather than direct withdrawal. Before operating your account, please verify your identity at the Binance Official Site, download the APK via the Binance Official App, and see the full-platform process at the Download Center. This article provides a complete response process.
What is an API key
The Binance API key is a "key" given to a program to automatically operate your account:
- API key (public key): Identifies identity
- API secret (private key): Signs requests
- Used together, they can call the Binance API for trading, querying, placing orders, and other operations
APIs are usually used for:
- Quantitative trading programs
- Third-party accounting tools
- Multi-account management tools
- Automated strategies (like grid trading, arbitrage)
Ways an API key is Leaked
Common leakage scenarios:
| Scenario | Probability |
|---|---|
| Accidentally committed to GitHub | High |
| Screenshot sharing containing the secret | Medium |
| Written in blog code examples | Medium |
| Network sniffing (unsecured WiFi) | Low |
| Program log leakage | Medium |
| Third-party tools being hacked | Medium |
A large number of "sensitive data scanning" bots on GitHub automatically look for leaked API keys and attempt to call them, so committing code with a secret to GitHub can be attacked within a few minutes.
Emergency Handling After a Leak
Step 1: Delete the API key immediately (Most Important)
Execute within 5 seconds, globally effective:
- Open the Binance App
- "Profile → Settings → API Management"
- Find the leaked API key
- Tap "Delete"
- Enter 2FA verification
Once deleted, the key becomes invalid immediately, and attackers can no longer use it to operate your account.
Step 2: Check Recent API Call Logs
- "API Management → The key → Call Logs"
- View all calls within the past 24-72 hours
- Look for suspicious activity:
- Calls from unfamiliar IPs
- Abnormal trades (large amounts, losses)
- Abnormal withdrawal attempts
Step 3: Check for Asset Losses
- Has the Spot wallet balance decreased?
- Were Futures positions abnormally closed?
- Are there unauthorized withdrawals?
- Are internal transfers abnormal?
Step 4: Change Account Password + Reset 2FA
If the leaked API key was associated with other sensitive information at the same time:
- Change the account login password
- Reset Google Authenticator (to prevent paired leaks)
Step 5: Contact Support to Report
- App "Customer Support → API Abuse Appeal"
- Provide:
- The leaked API key (first 8 characters)
- Screenshots of call logs
- Details of asset losses
- Measures you have already taken
Step 6: Check the Source of the Leak
- Figure out how the API key was leaked
- Fix the source (e.g., delete the public GitHub repository, recall screenshots)
- Prevent other sensitive information from leaking as well
Common Methods of API Attacks
1. Direct Withdrawal (Most Direct)
If your API key has "Withdrawal" permissions enabled:
- The attacker uses the API to initiate a withdrawal to their own wallet
- Funds are transferred away
Prevention: The API key should never have withdrawal permissions enabled (unless absolutely necessary for your business).
2. Wash Trading (Money Laundering)
More hidden and harder to spot:
- The attacker uses your API to place buy orders (at a high price) on a small-cap coin
- They place sell orders (at a low price) using their own account
- They match the trades, washing your USDT into their account
- You think it is a "loss," but it is actually money laundering
Prevention:
- Disable "Spot Trading" permissions for the API key (unless you need it)
- Monitor your account transaction history
3. High-Frequency Small Order Depletion
- The attacker uses the API to place small orders at high frequency
- They intentionally incur losses, slowly depleting your account
- They don't transfer funds directly, but cumulative losses are large
Prevention:
- Set up API call frequency alerts
- Check trading statistics regularly
4. Leverage / Futures Liquidation
If the API has Futures permissions enabled:
- The attacker opens 100x leverage
- They intentionally make reverse trades
- They force your account into liquidation
Prevention:
- Do not enable Futures permissions for the API
- Do not hold large amounts of funds in the Futures account
Possibility of Asset Recovery
| Attack Type | Recovery Probability | Notes |
|---|---|---|
| On-chain Withdrawal | < 5% | Irreversible |
| Wash Trading | 30-50% | Possible to freeze the counterparty's account |
| Internal Transfer | 50-70% | Customer support can freeze |
| Futures Liquidation | < 10% | Already a fact |
The probability of recovery from API abuse is slightly higher than direct account theft, because:
- Most API attacks involve wash trading (assets don't leave the Binance system)
- Customer support can freeze the counterparty's account
- On-chain evidence is complete
But don't get your hopes too high, prevention is always easier than recovery.
Security Best Practices for Creating an API Key
1. Bind an IP Whitelist (Most Critical)
Check "Enable IP Whitelist" when creating the API key:
- Only specified IPs are allowed to call this key
- Even if the key is leaked, attackers cannot use it from other IPs
- If your server IP is fixed, this is a must-have
Only static IPs can use the IP whitelist. If you use a dynamic IP (home broadband), you can leave it off, but the risk increases.
2. Disable Unnecessary Permissions
API key permission options:
- Spot / Margin Trading: Enable as needed
- Futures Trading: Enable as needed (high risk)
- General Withdrawal: Disabled by default (unless business requires)
- Internal Transfer: Enable as needed
Principle of least privilege: Only enable what you use.
3. Regular Rotation
Every 3-6 months:
- Delete the old API key
- Generate a new key
- Update it in your program
Prevents a leaked key from being abused over a long period.
4. Do Not Commit to Public Repositories
When using code version control:
- Put the API key in a
.envfile - Add
.envto.gitignore - Load it using environment variables
Absolutely never hardcode it into your code.
5. Monitor Call Logs
Regularly (weekly/monthly) check API call logs:
- Are the IPs as expected?
- Is the call frequency normal?
- Are there calls during unusual hours?
Handle anomalies immediately.
6. Set Up Alerts
Some quantitative platforms support alerts:
- Alert when API call frequency exceeds a threshold
- Alert when calls from unfamiliar IPs appear
- Large trade alerts
Choosing the API Key Type
Binance offers two API key types:
1. HMAC SHA-256 (Default)
- Fast generation
- Good compatibility
- Supported by most programs
- Disadvantage: The private key must be saved
2. Ed25519 Public Key Authentication
- More secure
- The private key is only generated locally and not transmitted
- Supported by some newer tools
- Disadvantage: Slightly poorer compatibility
If you are using the latest quantitative tools, prioritize Ed25519 for better security.
Risks of Third-Party Tools
Giving your API key to third-party tools (like third-party accounting software, quantitative platforms):
Risks
- The third-party platform gets hacked → Your API key is stolen
- Malicious employees at the third-party platform → Your funds are laundered
- The third-party platform runs away → The API key remains in their database
Protection
- API keys given to third parties must have withdrawal permissions disabled
- Prioritize reputable tools (like 3Commas, Bitsgap)
- Regularly check the access logs of third-party tools
- Immediately delete the corresponding key when you stop using a tool
Frequently Asked Questions
Q: How long does it take for a deleted API key to take effect? A: It takes effect immediately (seconds globally). After deletion, any call to that key will be rejected.
Q: Can I temporarily disable it without deleting it? A: Yes. There is an "Enable/Disable" toggle in "API Management", which takes effect immediately upon disabling, and can be re-enabled when needed.
Q: The API key was leaked but I don't see any asset loss, do I still need to deal with it? A: You must delete it immediately. Attackers may be analyzing your account, waiting for the right moment to strike.
Q: Does losing money with a quant API strategy count as being attacked? A: It depends on the specific reason. If it's a loss from your own strategy, it's a normal risk. If the API is abused by a stranger, it's an attack. The key to distinguishing is the IP in the call logs.
Q: Can I limit the API key to only place small orders? A: You cannot directly limit the amount, but you can: ① Use an IP whitelist ② Disable withdrawal permissions ③ Set daily trading limits (supported by some quantitative platforms).
Q: Can I get compensation from customer support for quant strategy losses? A: No. Binance provides the tool (API), and the risk of strategies executed with the tool is borne by the user.
Summary
After a Binance API key leak, deleting it within 5 seconds is the critical operation (takes effect globally immediately). Subsequently, check the call logs, change your password, and contact customer support. The probability of recovering funds from API abuse is 30-50% (higher than < 5% for account theft), because most attacks are wash trades rather than direct withdrawals. Prevention is the most important: When creating an API key, you must bind an IP whitelist + disable withdrawal permissions + minimize permissions, rotate the key every 3-6 months, never commit the secret in a public code repository, and regularly check call logs. API keys for third-party tools must be strictly permission-limited (absolutely disable withdrawals).