Someone Logged Into My Binance Account: How to Kick Out Suspicious Devices

Q: What is the difference between the Trusted Device list and the Login Device list?

The Login Device list shows all devices that have ever logged in (including one-time logins). The Trusted Device list contains devices you have marked as permanently trusted (which don't require secondary email verification during login). You should clean both lists—remove any device that isn't yours and keep the Trusted Device list limited to 1 or 2 devices you use most frequently.

If you find suspicious login records on the Binance Official Website security page, or receive a notification email stating "Your account has been logged in from [City Name]," the first thing you must do is kick that device out. The Binance Official APP provides a "Device Management" portal where you can handle this with one click. iPhone users can refer to the iOS installation guide to set up the app and remove suspicious devices from their account instantly.

A: Go to "Security" → "Device Management," find the device that isn't yours, and click "Remove" to force it to log out. However, simply logging out the device is not enough—you must immediately change your password, reset your 2FA, check your API Keys, and scan your address whitelist for any unauthorized additions. Skipping any of these steps could leave you vulnerable to another intrusion.

Step 1: Access the Device Management Page

A: After logging in, go straight to "Device Management" first. Do not visit other pages. Every second your account is exposed is another second of risk.

PC Desktop Entrance

Log in to your Binance account.
Hover over the profile icon in the top right corner.
Select "Security" from the dropdown menu.
Scroll down to the middle section and find "Device Management."
Click "Manage" to enter.

The page will list all devices that have logged into your account within the last 30–90 days.

APP Entrance

Open the Binance App.
Click the profile icon in the top left corner.
Select "Security."
Find "Device Management."

The list shown in the App is identical to the web version, and you can remove devices with a single tap.

Step 2: How to Identify Suspicious Devices

A: Each device record contains 6 key pieces of information—Device Model, Operating System, Browser, IP Address, City, and Last Login Time. Cross-reference these with your own devices.

Fields You Should Review

A typical record looks like this:

iPhone 15 Pro · iOS 18 · Safari · 124.236.XX.XX · Hong Kong · 2026-04-23 14:32:11

Or:

Windows PC · Chrome 124 · 119.85.XX.XX · Beijing · 2026-04-22 09:15:08

Methods to Identify Unknown Devices

Does the device model match yours? If you only own an iPhone 15 Pro and an iPhone 12 appears in the list → Suspicious.
Is the OS version consistent? If your iPhone is on iOS 18 but the record shows iOS 16 → Suspicious.
Is the IP city reasonable? If you've been in Shanghai all week but records show Beijing or Hong Kong → Suspicious (unless you used a VPN).
Does the login time match your activity? If a login occurred at 3 AM while you were asleep → Suspicious.
Does the browser match? If you only use Chrome but see Firefox or Edge → Suspicious.

If you have used a VPN or traveled recently, judge more carefully—a VPN IP might show your legitimate device as being in Singapore, Japan, or the US. This "geographic anomaly" isn't necessarily an intrusion.

Common Pitfalls

Switching browsers or updating the OS on the same device may create a new entry; this isn't necessarily an intruder.
Switching between mobile data and Wi-Fi will cause the IP to change, but the IP range should remain similar.
Corporate networks or hotel Wi-Fi can cause sudden IP changes.

Your Devices vs. Suspicious Devices Comparison

A: Use the following table to quickly determine if a login is a real intrusion.

Checkpoint	Your Device	Suspicious Device
Device Model	Models you own	Models you don't own
OS Version	Matches yours	Significantly older or newer
IP City	Places you've visited recently	Completely unfamiliar cities/countries
Login Time	Aligns with your daily activity	Middle of the night / times you couldn't log in
Browser	Your usual browser	One you never use
Login Frequency	Frequent	Appears once or twice and vanishes
Related Actions	Matches your trading behavior	Followed by suspicious withdrawals or API creation

If you find a suspicious device, the priority is: Immediate Logout → Change Password → Reset 2FA → Revoke all APIs → Check Whitelist → Contact Support.

Step 3: Force Logout the Suspicious Device

A: Clicking "Remove" or the logout button on the right side of the device entry will immediately invalidate that session. The next time someone tries to use that same browser to access Binance, they will be forced to log in again.

Operational Steps

Locate the suspicious device in the list.
Click "Remove this device" on the right.
A pop-up will ask for your 2FA verification code.
Enter the code to confirm.
The device will disappear from the list, and the session will be terminated instantly.

Should You Enable "Remove and Lock This Device"?

Some versions of Binance offer a stricter option: "Remove and prohibit this device fingerprint from logging in again." If you are certain the device belongs to an attacker, check this box. They will be directly rejected if they try to log in again using the same browser fingerprint. Note, however, that an attacker can bypass this by clearing their cache or switching browsers, so this is a delay tactic, not a total block.

Step 4: Immediately Change Password + Reset 2FA

A: Logging out the device only closes the door. If the attacker still has your password, they still have the key—you must immediately change your password and reset your 2FA.

Change Password

Go to Security Settings → "Login Password" → Change.
Enter your old password + a new password (ensure they are significantly different).
Provide your email verification code + 2FA code.
After the change, all existing sessions (except your current one) will be forced to log out.

New Password Requirements:

At least 16 characters.
A mix of uppercase, lowercase, numbers, and symbols.
Do not reuse passwords from other websites.
Use a password manager for maximum security.

Reset 2FA

If you suspect your 2FA has been compromised (e.g., someone took a photo of your backup key), you must reset it:

Security Settings → Google Authenticator / Binance Authenticator → "Disable."
Complete email, SMS, and old 2FA verification (if still valid).
Once disabled, re-enable it immediately and scan the new QR code.
Write down the new backup key on paper and destroy the old one.

Step 5: Check API Keys, Whitelists, and Withdrawal History

A: Many attackers do not withdraw funds immediately after gaining access. Instead, they quietly add "long-term backdoors" like API Keys or whitelisted addresses. You must check these areas after logging out devices and changing passwords.

Check API Keys

Go to the "API Management" page.
Look for any Keys you did not create.
Check the permissions for each Key—especially if "Enable Withdrawals" has been turned on.
Check if an attacker's IP has been added to the IP whitelist.
Delete any Key you did not create immediately.
Delete and recreate any Key you created that has incorrect permissions.

Check Address Whitelist

Go to "Address Management."
Review the whitelist for every cryptocurrency.
Delete any address you do not recognize immediately.
Deletion takes effect instantly.

Check Recent Withdrawal History

Go to "Wallet" → "Transaction History" → "Withdraw."
Review the last 30 days.
Screenshot any unauthorized withdrawals and contact support to report the incident.

Check OAuth / Third-Party Authorizations

Look for "Third-party Authorization" near API Management.
Check for any apps you don't recognize.
Revoke all of them.

Step 6: Contact Support to Report the Incident

A: Regardless of whether funds were stolen, you should open a ticket with support to formally record the event. This creates a paper trail for any future disputes and helps Binance flag risky activity.

Ticket Content Example

Subject: Suspicious login detected and removed

UID: XXXXXXXX
Time of detection: 2026-04-24 XX:XX
Suspicious device details:
- Device: iPhone 12, iOS 16
- IP: XXX.XXX.XX.XX
- Location: XXX
- Login time: 2026-04-XX XX:XX

Actions taken:
1. Removed the device from device list
2. Changed password
3. Reset Google Authenticator
4. Reviewed API keys (none found / removed X keys)
5. Reviewed whitelist addresses (none added / removed X addresses)
6. Reviewed recent withdrawals (no unauthorized / X unauthorized)

Requesting:
- Full security audit of my account
- Confirmation of any unauthorized activity
- Possible 24-hour withdrawal lock for additional protection

Proactively requesting a 24-hour withdrawal lock is a good move—it gives you time to calm down and thoroughly secure your account.

FAQ

Q: A suspicious device logged in but didn't do anything. Do I still need to change my password? A: Yes, absolutely. Logging in is just the first step for an attacker. They might be gathering information for a future move (checking balances, finding linked accounts, or cloning cookies to bypass 2FA). Just because they haven't acted yet doesn't mean they won't. Changing your password and resetting 2FA is a mandatory part of the process.

Q: What if my own device is shown as a suspicious device? A: Check carefully—for example, if you used Chrome's Incognito mode on your work computer once, it might be identified as a new device. If you're unsure, it's better to be safe and remove it. Logging out just means you'll have to sign in again on that device; there is no real loss.

Q: Can the attacker log back in after I remove their device? A: Removing a device only ends the current session. If the attacker still has your password and 2FA code, they can log in again immediately. This is why removing a device must never be done in isolation; it must be paired with a password change and 2FA reset to truly block access.

Q: What is the difference between the Trusted Device list and the Login Device list? A: The Login Device list shows all devices that have ever logged in (including one-time logins). The Trusted Device list contains devices you have marked as permanently trusted (which don't require secondary email verification during login). You should clean both lists—remove any device that isn't yours and keep the Trusted Device list limited to 1 or 2 devices you use most frequently.

Q: How do I log out a lost phone? A: Log in to your account from another device, go to Device Management, and remove the lost phone. If you can't log in at all, follow the Binance "2FA Reset" process—upload your ID, complete video verification, and wait 3–15 days for review (withdrawals will be locked during this time). Therefore, the first thing you should do after losing a phone is use a computer to log in, change your password, and remove the device immediately.

Q: Why does my IP always show as an unfamiliar city? A: Common reasons include: inaccurate mobile data tower location (e.g., you are in Shenzhen but the carrier station is registered in Dongguan), your ISP using CGNAT to share IPs (multiple people sharing one exit IP), or using a CDN or proxy. This geographic deviation is usually within a few dozen to a few hundred kilometers. You should only be alarmed if the deviation is international (e.g., you are in China but it shows Europe).

Q: Will deleting all API Keys affect my quantitative trading strategy? A: It will cause your current quantitative strategies to fail, but clearing API Keys after detecting a suspicious login is a necessary sacrifice. You can recreate new Keys later. When you do, remember to: restrict IPs, only enable necessary permissions, do not enable withdrawals, and rotate them regularly. This temporary setback is a small price to pay for account security.