If you just clicked a link marked "Binance Official" in a chat group, email, or forum, and the address bar shows binance-cn.top or a similar domain, don't hesitate — follow the four steps below to handle it immediately. The entry links on this site are safe to use: Binance website, mobile Binance official app, if you don't have the iOS app installed see the iOS install guide.
I. Three Things Not to Do (Clear the Mines First)
- Do not close the page immediately — take a screenshot first to keep evidence on file
- Do not enter any account passwords on that page — even if the page looks exactly the same
- Do not click any buttons on the page — including "Back", "Home", or "Customer Service", as they could all be phishing traps
II. Four-Step Emergency Process
Step 1: Take Screenshots to Retain Evidence
Press the PrtScn key or use your phone's native screenshot feature to capture the current address bar and page UI. Hover your mouse over a few buttons and record the target URLs that pop up. These screenshots are hard evidence for future appeals if something goes wrong.
Step 2: Disconnect the Network
Unplug your computer's ethernet cable / turn off Wi-Fi; put your phone in airplane mode. This step is to cut off any additional scripts the page might be loading in the background.
Step 3: Check Your Account on Another Clean Device
Use mobile data to open the APP, or use a bookmark to access binance.com on another computer, and do these things:
| Check Item | Location | Abnormal Behavior |
|---|---|---|
| Login History | Account → Security → Login Activity | Unfamiliar IP or device |
| Bound Devices | Account → Security → Device Management | Unrecognized device name |
| API Key List | Account → API Management | Keys you didn't create |
| Withdrawal Whitelist | Account → Security → Withdrawal Addresses | Unfamiliar receiving address |
| Asset Snapshot | Wallet Overview | Abnormal balance changes |
If any item is abnormal, immediately proceed to Step 4.
Step 4: Modify Security Credentials
Perform these operations in the following order:
- Change your login password (use a password manager to generate a random 16+ character password)
- Reset Google Authenticator (the old 2FA becomes invalid, bind a new one)
- Delete all API Keys
- Clear the withdrawal whitelist
- Kick out all logged-in device sessions
- Reset your anti-phishing code
III. How to Judge the Risk Level of This Redirect
Low Risk: Display Page Only
The page you jumped to only shows text or image ads and doesn't ask you to log in or fill in information. This is usually traffic fraud and doesn't pose a risk to your account. However, it's still recommended to clear your browser cache and check your hosts file.
Medium Risk: Login Page Phishing
You jumped to a "Binance login page" that looks exactly the same. As long as you haven't entered your account password on it, you are fine. Close it immediately and take screenshots for evidence.
High Risk: Entered Account and Password
If you entered any information on the phishing page after the redirect, process it according to Step 4 of this article; at the same time, contact Binance customer service to submit a "Suspected phishing, suspected account theft" ticket.
Extremely High Risk: Entered 2FA Code
Phishing sites will ask you to enter 2FA "to verify again for security". If you have entered it, the attacker will log in to your account in real-time using these credentials. Disconnect immediately to prevent further operations, and then use another device to follow the emergency process.
IV. How Do Redirect Links Happen?
Understanding the principles helps with prevention. Common pathways include:
- Chat App Link Relays: A "Binance Event" link posted in a group goes through short links like t.cn, bit.ly, or tinyurl, eventually jumping to a phishing domain
- Search Engine Ad Slots: Ads show binance.com, but clicking actually jumps to a phishing domain
- HTTP Site Redirects: You visit http://binance.com (note it's http), and a man-in-the-middle inserts a 302 redirect jumping to a phishing domain
- Browser Extension Hijacking: After installing a malicious extension, all links pointing to binance.com are rewritten
- Router DNS Hijacking: Home router firmware is compromised, and DNS resolution returns a fake IP
V. Four Long-Term Defenses
- Always enter through a bookmark — bookmarks are hardcoded URLs and won't be altered by a man-in-the-middle
- HTTPS Everywhere — automatically upgrade all HTTP to HTTPS to avoid plaintext hijacking
- Encrypted DNS: Use DoH or DoT, leveraging Cloudflare
1.1.1.1or Google8.8.8.8 - Regularly Audit Browser Extensions: Clear out unused extensions once a month
FAQ
Q1: The page didn't ask me to log in after the redirect, am I okay? Basically fine. But it's recommended to clear cache, delete suspicious extensions, and check hosts to prevent repeated redirects in the future.
Q2: How do I take a screenshot of a mobile link redirect? For iOS, press the Volume Up and Power buttons simultaneously; for Android, it's usually Volume Down and Power. Return to the app after capturing.
Q3: Can I report phishing links to Binance? Yes. Search for "Report Phishing" in the Binance Help Center. After submitting the link, the official team will push it to their browser blacklist partners.
Q4: Can I still click on Binance links sent by friends in groups? It's recommended not to click them at all. Go directly through your own bookmark or the APP.