The withdrawal whitelist is the final barrier that stops attackers from draining your assets if your account is compromised. This guide covers how to enable it and best practices. Download entry: Binance website, mobile Binance official app, if you don't have the iOS app see the iOS install guide.
1. What the whitelist does
Once enabled:
- You can only withdraw to addresses on the whitelist.
- Adding a new address triggers a 24-hour cooling-off period (it cannot be used during this time).
- Even if an attacker gets your password and 2FA, they cannot transfer your assets out immediately.
This gives you a time window—a full 24 hours to spot the anomaly and freeze your account.
2. How to enable it
Account → Security → Withdrawal Addresses → Enable Withdrawal Whitelist.
3. Adding an address
1. Go to "Withdrawal Addresses"
Account → Security → Withdrawal Addresses → Add New Address.
2. Fill in the details
- Coin and Network
- Address (your own cold wallet or another exchange)
- Label (e.g., "My Trezor TRC20", "OKX deposit entry")
- Check the box to add it to the whitelist
3. Verify
Confirm the action using 2FA + Email + Anti-phishing code.
4. Wait for activation
By default, new addresses take 24 hours to activate before they can be used for withdrawals.
4. Where should whitelist addresses come from?
Your own cold wallet
The safest option. Use an address derived from a Trezor or Ledger hardware wallet.
Your own deposit addresses on other exchanges
Your personal accounts on OKX, Bybit, Coinbase, etc.
Trusted third parties
Addresses belonging to family or close business partners (use sparingly).
Never use:
- Addresses from strangers
- "High-yield" addresses found online
- "Secure addresses" recommended by customer support imposters or group chat members
5. Best practices
1. Fix your cold wallet addresses permanently
Derive a set of addresses from your cold wallet and stick to them instead of generating a new one every time. Fixed addresses are easier to recognize and make whitelist management stable.
2. Use clear labels
Give every whitelisted address a descriptive label. If something goes wrong, you should be able to identify it at a glance.
3. Don't whitelist too many addresses
3 to 5 frequently used addresses are enough. Having too many just creates management chaos.
4. Audit regularly
Check your whitelist monthly for any unrecognized addresses. Even if attackers gain login access, they have to wait 24 hours to add a new address—by which time you might have already noticed the breach.
6. The Whitelist + Anti-phishing code + 2FA combo
These three features form the "holy trinity" of Binance account security:
| Layer | What it defends against |
|---|---|
| Anti-phishing code | Email phishing |
| 2FA | Logins after password leaks |
| Whitelist | Asset transfers after account compromise |
Missing any one of these leaves a significant vulnerability. Using all three elevates your account security to banking-level standards.
7. Emergency shutdown of the whitelist
If your account is stolen:
- The attacker will try to disable the whitelist (which requires 2FA).
- Disabling it triggers a cooling-off period (24-48 hours).
- During this time, you can spot the activity and freeze the account.
If you want to turn it off yourself:
- Account → Security → Withdrawal Addresses → Disable
- This also comes with a cooling-off period.
8. Relationship with the "24-hour lock"
Besides the whitelist, Binance has a "24-hour security lock"—after certain actions (changing 2FA, changing your password, changing your anti-phishing code), all withdrawals are suspended for 24 hours.
This mechanism complements the whitelist:
- Whitelist: restricts the destination address.
- 24-hour lock: enforces an operational cooling-off period.
Combined, they make the cost of a successful attack extremely high.
FAQ
Q1: How many addresses can the whitelist hold? There is no hard cap. However, it is recommended to keep it under 10 for easier management.
Q2: Can I expedite a withdrawal in an emergency? No. The 24-hour cooling-off period is a hard rule with no fast-track options.
Q3: Can I modify a whitelisted address? No, you cannot edit an address. You must delete the old one and add a new one, which also triggers the 24-hour delay.
Q4: Do I use the same whitelist for all coins? It is separated by coin. Every coin runs on different networks, so their addresses are independent.