Table of Contents 27 sections

Withdrawal Whitelist: Protecting Your Assets Even If Your Account Is Compromised

Imagine this scenario: an attacker somehow obtains your account password and verification codes, and successfully logs into your Binance account. They attempt to transfer your BTC to their own wallet, enter their address, and click withdraw — and they are denied. Because you have enabled the withdrawal whitelist, only pre-authorized addresses can receive withdrawals, and the attacker's address is not on the list.

This is the power of the withdrawal whitelist: it is the last line of defense for your assets. Even if every other security layer is bypassed, as long as the whitelist is in place, the attacker cannot transfer your funds to their own address.

What Is the Withdrawal Whitelist?

The withdrawal whitelist (also called Withdrawal Whitelist) is a security mechanism that, once enabled:

  • Restricts withdrawals exclusively to addresses on the whitelist
  • Blocks any withdrawal attempt to an address not on the list
  • Requires security verification to add a new address, followed by a 24-hour cooling period
  • Prevents an attacker who controls your account from immediately adding their address and draining your funds

Enabling the Withdrawal Whitelist

Setup Steps

  1. Open the Binance APP
  2. Tap the profile icon in the top-left corner > "Security"
  3. Find "Withdrawal Whitelist" or "Withdrawal Whitelist"
  4. Toggle the switch to enable the feature
  5. The system will require security verification (SMS + email + Google Authenticator)
  6. Once verified, the whitelist feature takes effect immediately

Adding Addresses to the Whitelist

After enabling the whitelist, you need to add the withdrawal addresses you regularly use:

  1. Go to the "Withdrawal Whitelist" management page
  2. Tap "Add Address"
  3. Select the coin (such as BTC, ETH, USDT, etc.)
  4. Enter the wallet address
  5. Select the corresponding network (this step is critical — choosing the wrong network will result in permanent loss of funds):
    • BTC: select the Bitcoin network
    • ETH: select the ERC20 network
    • USDT: options include ERC20, TRC20, BEP20, and others
  6. Add a label for the address (such as "My Ledger Hardware Wallet" or "OKX Exchange")
  7. Complete the security verification
  8. Newly added addresses have a 24-hour cooling period — the address cannot be used for withdrawals during this time

About the 24-Hour Cooling Period

This is the core design element of the whitelist security mechanism:

  • After adding a new address, you must wait 24 hours before it becomes usable
  • During the cooling period, you will receive email and in-app notifications
  • If you did not authorize the addition of this address, you can cancel it within the cooling period
  • This gives you a 24-hour response window to block any unauthorized address additions

Managing Whitelist Addresses

Viewing Existing Addresses

  1. Go to the "Withdrawal Whitelist" management page
  2. All added whitelist addresses are organized by coin
  3. Each address shows: coin type, network, address, label, and the date it was added

Removing a Whitelist Address

  1. Find the address you want to remove
  2. Tap the delete or remove button
  3. Complete the security verification
  4. The address is removed from the whitelist immediately

Important note: Removing an address takes effect instantly, with no cooling period required. This means that once an address is removed, you cannot withdraw to it again until you re-add it and wait another 24 hours.

Editing Whitelist Addresses

Whitelist addresses cannot be edited directly. To update an address, the process is:

  1. Delete the old address
  2. Add the new address
  3. Wait through the 24-hour cooling period

Whitelist Strategies for Different Coin Types

Major Coins (BTC, ETH)

Recommended additions:

  • Your hardware wallet address
  • Addresses at other exchanges you frequently transfer to
  • Keep the list minimal — add only what you actually need

Stablecoins (USDT, USDC)

Key considerations:

  • USDT operates across multiple networks (ERC20, TRC20, BEP20, and others)
  • Address formats differ across networks — each network's address must be added separately
  • Always confirm that the network you select matches the network of the destination address

Low-Cap Coins

  • Add on a need-to-use basis; do not pre-add a large number of unused addresses
  • Some coins may have special address formats or require a Memo or Tag field

Security Value Analysis of the Withdrawal Whitelist

Protection Scenario 1: Password Leak

Even if an attacker obtains your password and somehow bypasses two-factor authentication (an extreme case), they still cannot withdraw to any address outside your whitelist.

Protection Scenario 2: SIM Card Hijacking

An attacker who hijacks your SIM card to capture SMS verification codes is still blocked from withdrawing funds — the whitelist restricts outflows to only your pre-authorized addresses.

Protection Scenario 3: Insider Threats

If you manage cryptocurrency assets in a company or institutional setting, the whitelist prevents internal staff from making unauthorized transfers.

Protection Scenario 4: Accidental Misoperation

Even if you accidentally copy a wrong address (for example, because clipboard-hijacking malware swapped it), the withdrawal will not execute if that address is not on the whitelist — indirectly protecting your assets from your own slip.

Frequently Asked Questions

I have the whitelist enabled but need to send a one-time withdrawal to a new address — what do I do?

You must add the new address to the whitelist and then wait through the 24-hour cooling period. This is admittedly inconvenient, but that inconvenience is precisely the price of security. If you have a genuine emergency, the only alternative is to disable the whitelist feature — which also requires security verification and has its own cooling period.

How long does it take to disable the whitelist?

Disabling the whitelist typically involves a 48-hour freeze period, during which no withdrawals can be made. This prevents an attacker from turning off the whitelist and immediately withdrawing funds.

I entered an address incorrectly — what do I do?

If the incorrect address is still within the 24-hour cooling period, you can cancel it. If the cooling period has passed but you have not yet withdrawn to that address, simply delete it. If you have already sent funds to the wrong address, you will need to contact the receiving platform or wallet for assistance — Binance cannot reverse an on-chain transaction once it is broadcast.

My hardware wallet generated a new address — what should I do?

You need to add the new address to the whitelist and wait 24 hours. It is best practice to add the new address in advance before you actually need to use it.

Are internal Binance transfers subject to the whitelist?

Internal Binance transfers (by email, phone number, or Binance ID) are generally not subject to the withdrawal whitelist, because internal transfers do not involve on-chain operations. However, specific policies may vary by region — it is advisable to test this yourself to confirm.

Best Practice Recommendations

  1. Enable it now: This is one of the most valuable security features available
  2. Principle of minimalism: Only add addresses you will actually use
  3. Audit regularly: Review your whitelist once a month and remove addresses you no longer need
  4. Use clear labels: Add descriptive labels to every address so you can identify them easily later
  5. Test with a small amount: When adding a new address, send a small test withdrawal first to confirm the address is correct
  6. Combine with other security measures: Withdrawal whitelist + Google Authenticator + anti-phishing code = maximum security configuration

Summary

The withdrawal whitelist may be the security feature with the highest return on effort across all of Binance's security tools. Set it up once, and it protects you continuously. It will not disrupt your day-to-day usage (most users' withdrawal addresses are relatively stable over time), but at a critical moment it can be what stands between you and losing everything. The 24-hour cooling period might seem like an inconvenience — but that inconvenience is exactly what makes the whitelist the ultimate last line of defense for your assets.

Register on Binance | Download Binance App

Download Binance App

Click to download — available on all platforms

Download Android APK Register Binance Account

Register Now

Register via our exclusive link and download the Binance app to enjoy permanent trading fee discounts

Sign Up Download App