Waking up to a drained Binance balance is one of the worst feelings in crypto — and a growing share of these incidents trace back to a single point of failure: a compromised API key. If it's happened to you, or you want to make sure it never does, this guide explains exactly how API-key drains work, what to do in the first ten minutes, and the settings that stop them cold.
How an API key can drain your account
An API key is a credential that lets outside software act on your account. If a key with the wrong permissions leaks, an attacker has two ways to empty you:
- Direct withdrawal — if the key has withdrawal permission, they simply send your funds out. This is the obvious one.
- The "self-trade" pump-and-dump — this works even without withdrawal permission, which is why trade-only keys are still dangerous. The attacker pre-buys an illiquid coin, then uses *your* trade-enabled key to market-buy that same coin at absurd prices, draining your balance into their pre-placed sell orders. Your funds never "withdraw" — they evaporate through terrible trades.
That second method is the one most victims don't see coming.
Important: this is almost never a "Binance hack"
In the overwhelming majority of cases, the exchange wasn't breached — the key leaked from the user's side. The common causes:
- Pasting your API key/secret into a fake "trading bot," "profit tool," or "portfolio tracker."
- Committing keys to a public GitHub repo (bots scrape GitHub for keys within seconds).
- Entering keys on a phishing site that mimics Binance.
- Malware or a clipboard hijacker on your device.
- Reusing one key across many apps, so a single leak exposes everything.
If your account was just drained — do this now
Move fast; the goal is to stop further loss:
- Delete every API key immediately (Binance → API Management). This severs the attacker's access instantly.
- Change your password and re-verify 2FA. Assume your credentials are exposed.
- Move remaining funds to a fresh, secure wallet the attacker has never touched.
- Enable the withdrawal address whitelist so funds can only leave to addresses you pre-approve.
- Scan your device for malware and, if in doubt, move to a clean device before logging back in.
- Contact Binance support and report the incident.
Be realistic: once funds leave, recovery is often not possible. The priority is locking down everything so you don't lose more.
How to make sure it never happens (the prevention checklist)
Every one of these is a setting you control at creation:
- Read-only for anything that doesn't trade. Trackers, journals and tax tools need "Enable Reading" only — never trading or withdrawals. A read-only key that leaks costs you nothing.
- Never enable withdrawals on a third-party key. There's almost no legitimate reason to.
- IP-whitelist every key. A key bound to your specific IP is useless to an attacker from anywhere else — this single setting neutralizes most drains.
- One key per app, deleted when unused, rotated periodically.
- Enable 2FA and the withdrawal address whitelist on the account itself.
- Never paste your secret into unknown software, and never commit it to code.
For the full walkthrough, see How to Keep Your Crypto API Keys Safe and our step-by-step How to Create a Binance API Key.
Rebuilding securely
If you're starting over after an incident — or just tightening a loose setup — create your keys correctly from day one. On Binance, make a fresh key that is read-only unless a bot genuinely needs to trade, never withdrawal-enabled, and IP-restricted, and turn on every account security feature.
And if the whole API-key risk makes you uneasy, know that some venues are safer by design: Hyperliquid uses API wallets that can trade but can never withdraw, so a leaked key physically cannot drain you. Details in our Hyperliquid API guide.
A drained account is a brutal lesson, but it's almost always preventable with three habits: least-privilege permissions, IP whitelisting, and never sharing your secret. Lock those in and an API key becomes a convenience again, not a liability.