Download Binance App

Will My Coins Be Stolen If My Binance API Key Leaks?

2026/4/5 23 min
#Account Security

Quantitative traders, grid bot users, and cross-exchange arbitrage players cannot do without API keys. But once an API key leaks, what happens? Let's give the conclusion first: If you only enabled the "Read" permission and bound an IP whitelist, the risk of a leak is almost zero; if you enabled "Withdrawals" without an IP binding, your funds could be entirely transferred away within minutes. The difference lies in how you configure permissions. This article clearly explains the API key permission tiers, correct configuration, IP whitelists, periodic rotation, and damage control after a leak. Before configuring an API, log in first via the Binance Official Site as configuring APIs on the web is the most intuitive; for daily management, you can also use the Binance Official App; iPhone users who cannot find the app should check the iOS Installation Guide to get it installed.

What Exactly Is an API Key?

An API (Application Programming Interface) is an interface the exchange provides for programs. Each API key consists of two parts:

  • API Key: The public part, equivalent to an account name.
  • Secret Key: The private part, equivalent to a password, which is only displayed once upon creation.

Third-party programs (grid bots, quant strategies, data scrapers) can perform operations on behalf of your account using this key pair without needing a web login.

The danger of an API key is: It can bypass 2FA. You go through 2FA verification once during creation, and thereafter, the program doesn't need to verify again each time it calls the API. This is exactly why configuring API permissions requires even more caution than setting up 2FA.

Binance API Permission Tiers

Binance splits API permissions into several tiers, ranked from low to high risk.

Permission What It Can Do Default State Leak Risk
Reading Query balances, orders, K-lines Enabled by default Low
Spot Trading Place buy/sell orders Requires enabling Medium
Margin Trading Margin borrowing and trading Requires enabling Medium-High
Futures Trading Open futures positions Requires enabling Medium-High
Transfer Transfer funds between accounts Requires enabling High
Withdrawals Withdraw coins to on-chain addresses Requires enabling Extremely High
Internal Transfers Transfer funds to Binance users Requires enabling Extremely High

Golden Rule: Always enable only the permissions absolutely necessary for your operations, not a single one more. Quantitative strategies typically only require "Reading + Spot Trading," not Withdrawals.

The Strictest API Configuration Templates

These are the recommended configurations that fit almost all scenarios.

Scenario 1: Data Scraping (Read-only, no orders)

  • Reading: On
  • Others: All Off
  • IP Whitelist: On (bind your server's IP)
  • Validity: Auto-expires after 180 days

Scenario 2: Grid Bots / Quant Trading

  • Reading: On
  • Spot Trading: On
  • Futures Trading: As needed
  • Transfer: Off (Crucial)
  • Withdrawals: Absolutely Off
  • IP Whitelist: On (bind your bot server's IP)
  • Validity: 30-90 days

Scenario 3: Cross-Exchange Arbitrage (Requires transfers and withdrawals)

  • Reading: On
  • Spot Trading: On
  • Withdrawals: On (Whitelist addresses only)
  • Withdrawal Whitelist: Only add deposit addresses of target exchanges
  • IP Whitelist: On
  • Validity: 7-30 days

Scenario 4: Account Checking and Statistics

  • Reading: On
  • Others: All Off
  • IP Whitelist: On
  • Validity: 30 days

The IP Whitelist Is the Second Lock on the API

The IP whitelist and API permissions have a multiplying relationship: without an IP whitelist, even if only reading permissions are enabled, they can still be abused (snooping on your holding privacy).

How to Bind an IP Whitelist

  1. Log in to Binance → Account → API Management.
  2. Find the corresponding API key and click "Edit".
  3. Under "IP Access Restrictions", select "Restrict access to trusted IPs only".
  4. Enter your server's public IP (you can input multiple, separated by commas).
  5. Submit.

How to Check Your Public IP

  • On a server, run curl ifconfig.me or curl ip.sb.
  • Locally, visit ip.sb in your browser to see it.

What If My IP Is Dynamic?

  • Home broadband usually has dynamic public IPs that change daily.
  • Solutions: ① Rent a VPS with a static IP for your bot; ② Use DDNS + Binance API to regularly update the whitelist; ③ Switch to a cloud service provider with fixed outbound IPs.

An API key without an IP whitelist is effectively running naked if leaked.

Common Scenarios for API Key Leaks

Many people don't know how their API keys get leaked. Here are typical leak paths.

Scenario A: Code Committed to GitHub

The most common. Hardcoding the API_KEY and SECRET into a Python script and then pushing it to a public repository. GitHub has bots scanning 24/7, and a leaked key will be exploited within minutes.

Prevention: Use environment variables or .env files to store keys, and add *.env to your .gitignore.

Scenario B: Pasted into Third-Party Tools

Unknown quant platforms or trading signal services asking you to submit your API key for "monitoring." These platforms will very likely keep your keys.

Prevention: Only use certified partners listed by Binance, or well-known, established platforms (e.g., 3Commas, CoinGlass).

Scenario C: Trojan on the Computer

Trojans will monitor your clipboard and common configuration files to read local keys.

Prevention: Use a dedicated machine for bots that doesn't browse the web or watch videos; run standard antivirus software; rotate APIs regularly.

Scenario D: Leaving Employee Taking Keys

A team shares an API key, and they forget to reset it after an employee leaves.

Prevention: One key per person, invalidate immediately upon departure; route critical operations through whitelisted addresses.

Scenario E: Cloud Server Intrusion

Weak server passwords or SSH exposed to the public internet leading to brute-force attacks.

Prevention: Change the SSH port + disable password login + only allow key login; configure the firewall to open only necessary ports; regularly apply system updates.

API Key Periodic Rotation Strategy

Even if it hasn't leaked now, the probability goes up over time. It is recommended to rotate them on a cycle.

Rotation Cycles

  • High-frequency trading: Every 30 days.
  • Medium frequency: Every 60-90 days.
  • Low-frequency data querying: Every 180 days.
  • One-time debugging: Delete immediately after use.

Rotation Steps

  1. Create a new API key.
  2. Update the configuration in your bots or scripts.
  3. Test that the new key works properly.
  4. Delete the old API key in the Binance backend.
  5. Record the rotation date.

What to Do If Your API Key Has Already Leaked

Follow this checklist, the faster the better.

Emergency Action (Within 5 minutes)

  1. Log in to Binance → API Management → Immediately delete the leaked API.
  2. Check your account holdings for any abnormal changes.
  3. View transaction history to look for anomalous withdrawals or transfers.
  4. Freeze the account (if you notice a large number of abnormal transactions).
  5. Change password + reset 2FA (some attackers use APIs to reverse-engineer account info).

Continuous Monitoring (Within 24 hours)

  1. Keep an eye on your email for notifications of new API calls.
  2. Check your holdings and balances hourly.
  3. Review GitHub, code repositories, and cloud storage to see if there are still sources of key leaks.
  4. Enable Binance's remote login notifications.
  5. If funds are lost, contact customer service to initiate an appeal process.

Long-term Hardening (Within 7 days)

  1. Clean up any potential key leaks in all historical code repositories.
  2. Set up GitHub Secret Scanning.
  3. Change all API usages to environment variables.
  4. Harden servers (change SSH ports, enable firewalls).
  5. Consider using hardware keys for two-factor authentication.

Which Funds Are Most at Risk After an API Leak?

Ranked by the probability of theft.

  1. Spot Balance: If spot trading permissions are enabled, the attacker will place market sell orders at extremely low prices and use another account to catch them. This is known as "wash trading."
  2. Futures Account: If futures permissions are open, the attacker will open massive counter-positions with high leverage to force your liquidation.
  3. On-chain Assets: If withdrawal permissions are enabled without an address whitelist, your funds will be drained in minutes.
  4. Historical Order Privacy: Even with only read permissions, attackers can see your holdings and trade history, compromising your privacy.
  5. Used as a Zombie Account: Your account gets added to the attacker's "volume farming" matrix, generating massive amounts of small transactions.

FAQ

Can an API key have its Secret reset?

No. The Secret is only displayed once upon creation and can never be seen again. If the Secret is lost or leaked, you can only delete the old API key and create a new one.

Can API key permissions be modified at any time?

Yes. Edit it in API Management to modify permissions and the IP whitelist. Verification with 2FA is required after modifying.

Do Binance API Keys have an expiration time?

Once advanced permissions are enabled (like withdrawals), Binance requires you to set a validity period, defaulting to a maximum of 90 days. It automatically expires after this period. Standard API keys do not have a hard expiration, but long-unused ones will be cleaned up periodically by Binance.

How many API keys can one account create?

The limit is usually around 30. It's recommended to use one key per business task to facilitate management and isolation.

Are Sub-account API keys isolated from the Main account?

Yes, completely isolated. Sub-account APIs can only operate on sub-account assets and cannot access the main account. This is why large funds are recommended to run strategies using sub-accounts.

What are the rate limits for API requests?

Spot trading has roughly a 1200 weight limit per minute, while futures is around 2400. A single IP handles about 6000 requests per minute. Quant strategies must handle rate limiting properly; otherwise, it will trigger a ban. Refer to the official Binance API documentation for details.

Conclusion

The risk of an API key depends entirely on your configuration, not on the key itself. Three golden rules: ① Minimize permissions (don't turn them on if not needed), ② IP whitelist is mandatory (bind your server IP), ③ Rotate periodically (every 30-90 days). Coupling this with the self-discipline of never committing Secrets to code repositories will place your API security level at the very top. Quantitative traders, especially, must treat API security equally as important as the security of their funds—it is literally a key to the funds. Now, open the Binance Official Site API Management page, delete all unused APIs or those older than 90 days, and add IP whitelists to the remaining ones.