If you are reading this, you may have discovered or suspect that your Binance API Key has been compromised. Whether the key was inadvertently committed to a public GitHub repository or entered into a suspicious third-party tool, immediate action is required. Access the Binance Official Website or open the Binance Official App and follow the steps below immediately. For iPhone users who have not yet installed the application, please refer to the iOS Installation Guide for rapid deployment.
Immediate Actions
Time is of the essence when an API Key is leaked.
Delete the Compromised API Key Immediately
After logging into Binance, navigate to the API Management page. Locate the leaked API Key and delete it without delay. Do not attempt to investigate its usage first; every second of hesitation provides an attacker with an opportunity to execute unauthorized operations.
If you are uncertain which key was compromised, delete all existing API Keys. It is safer to recreate them later than to leave a high-risk key active.
Audit Account Assets
After deleting the API Key, immediately inspect your account balance. Check the Spot, Futures, and Earn accounts for any anomalous changes. Pay close attention to unfamiliar trade records or withdrawal history.
Review Trade History
Access the trade history page and carefully examine recent transactions for any unauthorized activity. When an API Key is compromised, attackers typically execute two types of operations: direct withdrawal (if withdrawal permissions were enabled) or asset transfer to their controlled accounts via wash trading (buying high and selling low).
Examine Withdrawal Records
Review the withdrawal history for any unrecognized withdrawal operations. If unauthorized withdrawals are detected, contact Binance Customer Support immediately to report the incident.
Common Causes of API Key Leaks
Understanding the source of the leak is essential to preventing future occurrences.
Code Repository Leaks
This is the most frequent cause of compromise. Developers often hardcode API Keys within trading bots and inadvertently push them to public GitHub repositories. Automated scanners constantly monitor GitHub for API Keys; a leaked key can be detected and exploited within minutes of being pushed.
Third-Party Tool Leaks
Some third-party trading tools, quantitative platforms, or copy-trading systems require an API Key for operation. If these platforms have inadequate security measures or are fraudulent, the API Key becomes compromised.
System Intrusion
If a computer is infected with malware or spyware, locally stored API Keys may be exfiltrated. Keys stored in plaintext configuration files are particularly vulnerable to such attacks.
Social Engineering
Attackers may impersonate Binance customer support or technical staff, requesting API Keys under the pretext of debugging a bot or resolving a technical issue. It is important to note that legitimate support personnel will never request your API Keys.
Screenshots or Chat Logs
Inadvertently exposing an API Key in screenshots shared during technical discussions or in unredacted error logs posted in public forums can lead to immediate leaks.
Recreating API Keys Post-Deletion
Once the compromised keys are deleted, new API Keys can be generated with enhanced security settings.
Creation Process
Click "Create API Key" on the API Management page and assign a descriptive label, such as "Quant-Trading" or "Data-Query." Identity verification (e.g., Google Authenticator or SMS) is required to confirm the creation.
Upon successful creation, the API Key and Secret Key will be displayed. The Secret Key is shown only once and cannot be retrieved after the page is closed. Securely store it in a password manager.
Principle of Least Privilege
When creating an API Key, adhere to the principle of least privilege: enable only the necessary permissions and disable all others.
- For market data and account information monitoring, enable only "Read" permissions. Do not enable "Spot & Margin Trading" or "Withdrawals."
- For automated trading, enable "Read" and "Spot & Margin Trading" permissions. Do not enable "Withdrawals."
Withdrawal permission is the most dangerous. Unless there is a specific requirement supported by robust security measures, do not enable withdrawal permissions for an API Key.
IP Whitelisting
This is the most critical security configuration. When creating or editing an API Key, configure the IP access restriction. This ensures that only requests originating from whitelisted IP addresses are accepted.
If your trading bot runs on a server with a static IP, add that IP to the whitelist. For home use, determine your public IP and whitelist it (bearing in mind that residential IPs may change).
With IP whitelisting enabled, an attacker cannot utilize the API Key even if it is leaked, as their IP address will not match the authorized list. This is currently the most effective defense for API security.
Best Practices for API Key Management
Adopt the following practices to ensure long-term security.
Avoid Hardcoding
Never embed API Keys directly into source code. Instead, use environment variables or local configuration files. Ensure that configuration files are included in the .gitignore file to prevent them from being committed to version control systems.
Use a Password Manager
Store API Keys in a secure password manager such as 1Password, Bitwarden, or KeePass. Avoid storing them in plaintext files, chat logs, or digital notes.
Regular Rotation
Even in the absence of a leak, it is advisable to rotate API Keys periodically. For example, create a new key every three months and delete the old one to minimize the risk of long-term exploitation.
Unique Keys for Unique Tools
If multiple third-party tools or bots are used, create a dedicated API Key for each. This containment strategy ensures that if one tool is compromised, only that specific key needs to be revoked, leaving other operations unaffected. It also facilitates rapid identification of the source of a leak.
Monitor API Activity
Periodically review the API usage statistics on the Binance API Management page. A sudden spike in requests or activity from unauthorized origins indicates a potential security breach.
Procedures for Asset Theft
If an audit confirms that assets have been stolen, take the following steps.
Disable the Account
Click "Disable Account" in the security settings to temporarily freeze all account activity and prevent further unauthorized actions by the attacker.
Contact Binance Support
Report the API Key compromise and asset theft to Binance via the in-app chat or by submitting a support ticket. Provide evidence such as unauthorized trade and withdrawal records.
Preserve Evidence
Take screenshots of all anomalous trade records, withdrawal history, and API logs. If the source of the leak is known (e.g., a specific third-party tool), preserve relevant communications or screenshots for investigative purposes.
Report to Authorities
If the loss is significant, consider reporting the incident to local law enforcement. While recovering stolen cryptocurrency can be difficult, establishing an official record is necessary.
Recommendations for Third-Party Tool Usage
If a third-party tool requires an API Key, observe the following precautions.
Evaluate Tool Credibility
Before providing an API Key, investigate the background of the tool. Check for public security audits, the duration of its operation, and community reputation. Exercise extreme caution with new or unverified tools.
Limit Permissions
Grant only the minimum permissions required for the tool to function. A tool for market analysis should not require trading permissions, and a trading tool should never require withdrawal permissions.
Implement IP Whitelisting
If the third-party tool operates on fixed servers, request the server IP addresses from the provider and configure the IP whitelist on Binance. Reputable service providers typically offer a list of their server IPs for this purpose.
Revoke Unused Keys
Immediately delete the associated API Key once you cease using a third-party tool. Leaving an inactive key linked to an external platform creates an unnecessary security risk if that platform is later compromised.
Conclusion
An API Key leak is a serious security incident, but swift action can often minimize the impact. The core response involves deleting the key, auditing assets, updating security credentials, and hardening configurations. Adhering to the principle of least privilege and implementing IP whitelisting are the most effective ways to limit the risk associated with API Key management.