Phishing domains impersonating Binance are registered every day, and the tactics are constantly evolving. For the average user, the most important thing is not to memorize every scam case, but to build muscle memory to spot anomalies with a single glance at the address bar. If you want to log into the genuine site, use the Binance Official Website; if you want to download the official APP, use the Binance Official App; iPhone users can simply follow the iOS Installation Guide. Any other domain that "looks like Binance" should be cross-verified using the four routines below.
1. Routine One: IDN Homograph Attack
This is the hardest to prevent. The domain registered by the attacker looks almost exactly like binance.com once rendered, but it actually uses non-Latin character sets, such as:
- Replacing the English 'a' with the Cyrillic а (Unicode 0x0430 vs 0x0061).
- Replacing the English 'o' with the Greek ο.
- Replacing the English 'i' with the Turkish ı.
- Swapping the lowercase 'l' (l) and the uppercase 'I' (I) (they look identical in some fonts).
These characters are almost indistinguishable from the original letters in the address bar, but the URL itself starts with xn-- (Punycode encoding).
Identification Methods
- Copy the address into a text editor: If the pasted characters are different from what you entered, it's a homograph.
- View the Punycode source: In Chrome, you can see the actual domain by clicking the small lock icon next to the address bar → "Certificate"; in Firefox, you can force the display of the xn-- format by enabling
network.IDN_show_punycode = trueinabout:config. - Google Translate test: Paste the suspicious domain into Google Translate. If it recognizes it as Russian, Greek, or another non-English language, it is an IDN domain.
The real binance.com will copy as an ASCII binance.com in any browser, without any strange characters appearing.
2. Routine Two: Letter Position Swapping
Attackers change positions, remove, or repeat letters in the original domain to make it unnoticeable during a quick scan:
| Fake Domain | Swap Method |
|---|---|
bianance.com |
Swapped bi and na |
binanse.com |
ce → se |
binanc-e.com |
Added a hyphen |
biinance.com |
Repeated i |
binace.com |
Missing an n |
binnance.com |
Repeated n |
These domains are particularly hard to spot on small mobile screens. The way to identify them is to read the domain in the address bar letter by letter, or rely on these small tricks:
- In Chrome, press
Ctrl+Lto select the entire address bar, thenCtrl+Cto copy. - Paste it into Notepad and enlarge the font to inspect it.
- Compare it word for word with the real binance.com saved in your bookmarks.
3. Routine Three: Suffix Confusion
Attackers use non-.com suffixes to register domains that seem logical:
binance.appbinance.iobinance.ccbinance.vipbinance.topbinance.livebinance.clubbinance.world
These domains sound a lot like "Binance's app/official site" literally, but the official team explicitly only uses the .com main domain and a few .info/.asia mirrors. All other suffixes are unofficial. When evaluating, remember this sentence:
Any suffix not explicitly listed in the official help center announcements is considered a counterfeit.
4. Routine Four: Subdomain Fronting
This is currently the most deceptive tactic. Attackers register an obscure domain and then use 'binance' as a subdomain prefix right at the front:
binance.login-secure.com→ The main domain islogin-secure.comwww.binance.authcheck.xyz→ The main domain isauthcheck.xyzlogin.binance.wallet-verify.com→ The main domain iswallet-verify.com
The "main domain" in a URL is always the second-to-last segment + the top-level suffix. If the main domain is not binance.com, no matter how many binance dot subdomains there are in front, it is phishing.
Identification Method: Read Backwards
Read the URL from right to left, skipping https:// and www.. The first thing you'll see is the top-level suffix (like .com/.org), and moving left gives you the main domain. As long as the main domain is not binance, close the page immediately.
Examples:
https://binance.app-verify.com/login→ Read from right to left:.com→app-verify→ The main domain isapp-verify.com, which isn't Binance's.https://www.accounts.binance.com/login→ Read from right to left:.com→binance→ The main domain isbinance.com, the "accounts" before it is just a subdomain, so it's official.
5. A Complete Domain Verification Workflow
When encountering an uncertain "Binance" link, follow these four steps:
- Read the main domain → The main domain must be binance.com (or an official mirror from the help center announcements).
- Check the characters → Copy it to a text editor to confirm there are no non-ASCII characters.
- Look at the suffix → If it's a suffix other than .com, consider it phishing unless officially confirmed.
- Verify the certificate → Small lock icon → The certificate issuer's domain must match the address bar's main domain.
Once you are proficient, this workflow takes about 15 seconds to complete. The cost is extremely low, but it can block 99% of phishing attacks.
6. How to View "Binance Links" in Emails
Phishing links in emails are even more common. Do not use your mouse to click the link; instead:
- Hover your mouse over the link, and the browser will show the real URL at the bottom.
- On mobile, press and hold the link (do not click), and a preview of the real URL will pop up.
- Apply the four-step verification process to the real URL.
- Click only if confirmed official; if unsure, delete the email directly.
Additionally, manually opening your browser and typing binance.com is 100 times safer than clicking an email link. If the email content is truly important, you will see the same notification on the site after logging in.
7. What to Do After Encountering a Phishing Domain
If you discover a phishing site, you can do three things:
- Do not log in, close the page immediately.
- Report it to Binance: After logging into the real binance.com, use Help → Report Phishing, and submit the domain and screenshots.
- Report it to Google Safe Browsing: Visit
safebrowsing.google.com/safebrowsing/report_phish/to help other users see warnings in their browsers.
Make these actions a habit, and the overall community's anti-phishing capabilities will gradually improve.
FAQ
Q: Will Chrome automatically flag phishing sites? A: Yes, but there is a delay. Google Safe Browsing requires enough reports before it flags something, so newly registered phishing domains will have no warnings for the first few days. Do not rely on browser flags; depend on your own identification skills.
Q: Why does the real binance.com sometimes trigger a security warning? A: Usually, this is because the HTTPS certificate is being rotated or your system time is wrong. Real Binance certificates are always valid. If you see a certificate error, first check your system time, then verify the domain; if both are correct and the problem persists, try again in a few hours.
Q: If I use Safari on a Chromebook or iPad, will the domain look different? A: The main domain content of the URL does not change due to the device, but the display style might. Regardless of the device, you can make an accurate judgment by using the "Read Backwards + Check Suffix" method.
Q: The domain looks fine, but after entering my password, I was redirected to another domain. What is happening? A: This is a very dangerous signal. True Binance logins will not switch to another main domain (it might switch to accounts.binance.com under the same main domain, but the main domain is still binance.com). Stop operations immediately and follow the "Emergency Checklist After a Suspicious Login".