No one wants their account stolen, but once it happens, the first 30 minutes determine 80% of the outcome. Whether you can recover the funds, stop the bleeding, or ensure you never suffer the same loss again depends entirely on what you do during this time. It is recommended to calm down first, then immediately use another device to log in to the Binance website to initiate the emergency process, or use the Binance official app link to open it quickly if you don't have the client installed on your phone; iPhone users who haven't installed the APP should follow the iOS install guide to switch regions and install it first. This article clearly explains the three-stage process: "5-minute emergency / 24-hour appeal / long-term forensics".
1. Determine If the Account Is Really Stolen
When you encounter any of the following situations, run the "stolen" process first, do not wait to confirm:
- A "Binance login device / IP change" notification suddenly appears in your email, and it wasn't you operating it.
- A withdrawal email has been sent, but you haven't touched the account at all.
- You are unable to log in, and your password has been changed by someone else.
- An unfamiliar device appears in the device management, and the IP is from overseas.
- An API you never created appears in your API key list.
Even if you just suspect it, it's recommended to immediately follow the "5-minute emergency" below — the cost of being wrong is just ten minutes, while the benefit of being right could be your entire funds.
2. Emergency Checklist Within 5 Minutes
Minute 1: Freeze the Account
The Binance account management page has a "Security → Freeze Account" entry (also called Lock Account). Once clicked, the account will immediately halt all logins and withdrawals. Any withdrawals that have been initiated but not yet completed will enter a pending review state.
If you are already unable to log in to your account — immediately call the Binance official customer service hotline (the latest number can be found at the bottom of the binance.com help page), or contact the 24-hour online customer service in the bottom right corner of the webpage, and state "Account stolen, requesting emergency freeze". Customer service will freeze it based on identity verification.
Minute 2: Close All APIs
APIs are the attacker's favorite "silent theft channel". In Account → API Management, delete all API keys entirely, leaving none behind. If it was an API theft, merely deleting them is not enough; you must also change the login password and refresh 2FA.
Minute 3: Change Login Password + Refresh 2FA
- Change the login password (set a completely new, 20-character random one that has never been used anywhere else).
- Rebind Google Authenticator (in "Security → Binance/Google Authenticator").
- Reset the anti-phishing code.
Minute 4: Kick Out All Sessions
Go to Account → Security → Device Management, and kick out all devices in the list — leaving only the one you are currently using. If there are unfamiliar devices in the list, write down their IPs and login times as evidence for later.
Minute 5: Screenshot to Preserve Evidence
Take a screenshot of all the following pages:
- Device management list (including unfamiliar devices)
- Abnormal login notification emails
- Abnormal withdrawal emails / withdrawal records
- Abnormal API call records
- Account balance change records
These are core materials for submitting appeals and on-chain tracking later.
3. Stolen Account Appeal Process Within 24 Hours
1. Submit the Official Stolen Account Appeal
In the binance.com Help Center → Account Security → Stolen Account Appeal, fill out the form accordingly:
- Account registration email and phone number
- Time of the theft (accurate to the minute)
- Abnormal IPs / devices / withdrawal TXIDs
- A timeline of all the emergency actions you took
- Upload the screenshots from step two as attachments
Appeals generally receive a first reply within 24–72 hours. Do not submit duplicate requests or change your communication email during this period.
2. On-Chain Forensics
If the funds have already been withdrawn, record all withdrawal TXIDs and submit the corresponding receiving addresses to the Binance risk control team. Binance will coordinate with partner exchanges and on-chain analysis firms to freeze them — provided the receiver has transferred the funds into any exchange that enforces KYC.
The window for on-chain forensics is critical:
- 0-2 hours: Highest probability of freezing (funds are usually still in the attacker's wallet).
- 2-24 hours: Medium probability (attacker may have split them via a mixer).
- After 24 hours: Probability drops significantly.
So start from Minute 1 of the emergency checklist, do not delay.
3. Synchronized Police Reporting
Mainland Chinese users can report the case to the cybersecurity department of their local public security bureau (with theft screenshots, TXIDs, and email evidence). Overseas users should report to the FBI IC3 / local financial crime departments according to their country's laws. The police report receipt serves as a positive bonus for the Binance risk control team's judgment on "whether it was a genuine theft".
4. Realistic Expectations for Recovery
Do not be fooled by various "100% recovery" rhetoric. The real situation:
- Funds not withdrawn (only password changed / device logged in): Close to 100% recovery
- Withdrawn but still at the original address: 70-90% probability of freezing
- Relayed through a KYC exchange: 30-60% probability
- Passed through a mixer or DeFi cross-chain: Below 10%
Therefore, the value of emergency actions in the first few minutes is often 100 times higher than hiring a lawyer to pursue it afterward.
5. Long-Term Review After a Theft
Whether the funds are ultimately recovered or not, review the following questions:
- How did the attacker get in? (Phishing email / fake APP / old device / SIM Swap / API leak)
- Which of my defenses failed? (Weak password / SMS 2FA / anti-phishing code not enabled / device not cleared)
- What other accounts use the same password or email?
Finding the root cause and plugging the homologous risks is the only way to ensure this lesson wasn't learned in vain.
Summary
- Run the emergency checklist immediately if you suspect a theft; do not wait to confirm.
- Within 5 minutes: freeze → close APIs → change password → kick sessions → screenshot.
- Within 24 hours: appeal + on-chain forensics + report to police.
- The probability of recovery is highly positively correlated with "emergency speed".
- Review the root cause and completely block the same attack surfaces.
Being robbed isn't terrifying; what's terrifying is failing to learn how to defend against the next one after being robbed.