The method to set up the Binance withdrawal whitelist is: Open the Binance app → User Center → Security → Withdrawal Whitelist → Enable the feature → Add your trusted withdrawal addresses. After enabling the whitelist, you can only withdraw cryptocurrencies to addresses that have been added to the whitelist, and any withdrawal request to a new address not on the whitelist will be automatically blocked by the system. Every time a new whitelist address is added, it also needs to go through a 24-hour cooling-off period before it takes effect. This means that even if a hacker compromises your account and adds a new address, you still have a 24-hour time window to detect the anomaly and freeze your account. According to statistics from the Binance security team, accounts with the withdrawal whitelist enabled have an approximately 96% lower probability of experiencing asset theft transfers compared to those without it, making it one of the most effective anti-theft measures currently available. You can learn more about protection features in the Security Center on the Binance official website, or you can directly operate and set it up in the Binance official app. For Apple phone installation, please refer to the iOS installation tutorial.
Why You Need to Set Up a Withdrawal Whitelist
The biggest threat to cryptocurrency account security is not hackers cracking your password (although this is also important), but directly transferring your assets away after obtaining your login credentials through various means. Common attack methods include:
Phishing Attacks: Attackers forge a Binance login page to trick you into entering your account password and 2FA verification code. According to data from the SlowMist security team, there are over 3,000 phishing attacks in the cryptocurrency space every month, with an average amount involved of about $12,000 per incident.
SIM Swapping: Attackers use social engineering to get your carrier to transfer your phone number to their SIM card, then use SMS verification codes to log in and operate your account.
Malware: Trojan programs on your phone or computer can record your keystrokes to steal your passwords and verification codes.
Internal Risks: If multiple people share a device or someone has access to your phone, there is also a risk of unauthorized operations.
The principle of the withdrawal whitelist is simple: you pre-designate a set of trusted addresses, and the system only allows assets to be transferred to these addresses. Even if an attacker gains full control of your account, they cannot transfer assets to their own address because that address is not on the whitelist. Moreover, adding a new whitelist address requires security verification and has a 24-hour cooling-off period, giving you enough time to discover and stop the attack.
Detailed Steps to Enable the Whitelist Feature
Operations in the App
- Open the Binance app and tap your profile icon in the top left corner to enter the User Center.
- Tap the "Security" option.
- Find the "Withdrawal Whitelist" option.
- Tap the toggle switch to enable the whitelist feature.
- The system will prompt a security verification: you need to enter an email verification code, SMS verification code, and/or Google verification code (depending on your enabled security verification methods).
- After completing the verification, the whitelist feature will take effect immediately.
Once the whitelist is enabled, every withdrawal operation you make will be checked to see if the target address is on the whitelist. If it is not, the system will reject the withdrawal request.
Operations on the Web
Log in to the Binance web version → Profile icon in the top right corner → Security → Find "Withdrawal Address Management" or "Withdrawal Whitelist" → Enable. The operation process is similar to the app and also requires security verification.
Adding a Whitelist Address
After enabling the whitelist, you need to add your frequently used withdrawal addresses to it.
Steps to Add
- In Security settings, find "Withdrawal Whitelist" → "Manage Whitelist Addresses".
- Click "Add Address".
- Select the coin (e.g., USDT).
- Select the network (e.g., TRC20, ERC20, etc.).
- Enter or paste the withdrawal address you want to add.
- Add a remark label to this address (e.g., "My Trust Wallet", "OKX Exchange", etc.) for easy identification later.
- Complete the security verification.
- The address is successfully added, but it needs to go through a 24-hour cooling-off period before it officially takes effect.
The 24-Hour Cooling-off Period
A newly added whitelist address will be in a "pending" status for 24 hours. During these 24 hours: you cannot withdraw to this new address; you will receive email and app notifications informing you that a new address has been added to the whitelist; if this was not your own operation, you have time to use the "Freeze Account" feature to immediately freeze all withdrawal operations.
The cooling-off period mechanism is the last line of defense against theft. Even if an attacker controls all your verification methods and successfully adds a new address, you still have 24 hours to take action.
Whitelist Management Best Practices
Regularly Review the Whitelist
It is recommended to check the whitelist list once a month to ensure that every address in it is still one you currently use. Delete addresses you no longer use promptly to reduce the potential security risk surface.
Address Categorization Management
Add clear remark labels to each whitelist address, for example:
- "My Ledger Hardware Wallet - ETH"
- "My Trust Wallet - BSC"
- "OKX Exchange - USDT - TRC20"
Clear labels can help you quickly confirm the correctness of the target address when withdrawing, avoiding transfers to the wrong address.
Principle of Least Privilege
Only add addresses to the whitelist that you truly need to use. Do not add a large number of addresses in advance just because you "might use them later." The fewer addresses on the whitelist, the lower the risk of them being mistakenly exploited. According to recommendations from security experts, regular users should ideally limit their whitelist addresses to 3-5.
Coordinating the Whitelist with Other Security Measures
The withdrawal whitelist is not a panacea; it needs to be used in conjunction with other security measures to build a complete security defense line:
Two-Factor Authentication (2FA): The first lock of the whitelist; any whitelist operation requires 2FA verification. Be sure to use Google Authenticator rather than SMS verification.
Anti-Phishing Code: Helps you identify genuine vs. fake emails sent by Binance to prevent leaking account information on phishing sites.
Device Management: Regularly check the "Authorized Devices" list and remove any devices you do not recognize. The login notification feature will send an alert when a new device logs in.
Login Password: Use a strong, unique login password and do not share it with any other websites.
After enabling all four of these security measures, the security level of your Binance account can reach the highest tier. Binance's security scoring system will also give it a perfect score.
Frequently Asked Questions
What should I do if I urgently need to withdraw to a new address after enabling the whitelist?
You need to add the new address to the whitelist first, and then wait for the 24-hour cooling-off period to pass before you can withdraw. If it is truly an emergency, the only way to bypass this is to temporarily disable the whitelist feature (disabling it also requires security verification), complete your withdrawal, and then re-enable it. However, frequently toggling the whitelist reduces security and is not recommended.
Can whitelist addresses be deleted?
Yes, they can be deleted at any time. The deletion operation requires security verification and takes effect immediately upon deletion (no cooling-off period). If you need to withdraw to that address again after deleting it, you will need to re-add it and wait for the 24-hour cooling-off period.
Are internal transfers restricted by the whitelist?
No. Binance internal transfers (transferring to other Binance users via UID, email, or phone number) are not restricted by the withdrawal whitelist. The whitelist only restricts on-chain withdrawal operations.
Can I still sell via P2P after enabling the whitelist?
Yes. P2P trading is completed internally on the Binance platform and does not involve on-chain withdrawals, so it is not affected by the whitelist.
What happens if I initiate a withdrawal but forgot to add the address to the whitelist?
The system will directly reject the withdrawal request and prompt "The address is not on the whitelist." You will not lose any assets; you simply need to add the address to the whitelist first and wait 24 hours before proceeding.
Comprehensive Account Security Recommendations
Besides the withdrawal whitelist, here is a complete checklist for reinforcing your Binance account security:
- Use an independent, strong password (at least 16 characters).
- Enable Google Authenticator 2FA (do not use SMS verification).
- Set up an Anti-Phishing Code.
- Enable the Withdrawal Whitelist.
- Enable login device management and login notifications.
- Regularly check API keys (if you do not use APIs, ensure no unknown API keys have been created).
- Do not operate Binance on public Wi-Fi.
- Do not click on any suspicious "Binance" links; only access the platform through the official app or by manually typing the website address.
According to a research report by CertiK, users who complete all the above security settings have a probability of their account being compromised of less than 0.01%, making it one of the highest-security account configurations in the crypto industry.