Coinbase’s Official Page Asks for Seed Phrases, Raising Major Security Concerns

by

Coinbase Page Flags Security Risk Over Seed Phrase Entry

Security researcher ZachXBT has warned that the Coinbase Commerce recovery page is requesting users’ 12-word seed phrases, which could be a phishing attempt or a social engineering tactic.

Security researchers have discovered a concerning page on Coinbase’s website. Located at withdraw.commerce.coinbase.com, the page prompts users for their 12-word seed phrase, claiming it’s for recovering assets through Coinbase Commerce. Despite the potential security risk, Coinbase hasn’t removed the page.

On-chain investigator ZachXBT warned on X (formerly Twitter) that a new Coinbase page could potentially be exploited by scammers. He questioned whether Coinbase had fully considered the risks, suggesting the page could help attackers target users by tricking them into revealing their seed phrases. The post quickly gained thousands of reactions and shares.

When an Official Page Becomes the Weapon

Security researcher evilcos noticed a concerning page on a cryptocurrency exchange and initially thought it might have been hacked. They pointed out on X (formerly Twitter) that the page was asking users for their sensitive recovery phrases in plain text, which seemed highly unusual for a reputable exchange. It turned out the page was legitimate, but the practice still raised security concerns.

The help section on Coinbase Commerce explains how to recover funds. It notes that because Commerce created a new digital wallet address for each payment, a merchant’s money could be distributed across many addresses—sometimes thousands. Simply importing a recovery phrase into a regular wallet might not display the complete amount, as these wallets usually only check the first few unused addresses. For cryptocurrencies like Bitcoin, Coinbase previously advised users to use a withdrawal tool before March 31, 2026, to access all their funds.

The instructions explain how to find a previously saved backup of your secret recovery phrase from Google Drive and use it to access your funds. Security researchers believe this process is the main vulnerability.

Two Separate Problems, One Very Dangerous Page

Security researcher im23pds highlighted a security issue with Coinbase, identifying two main problems. First, even though the link came from a genuine Coinbase website, asking users for their secret recovery phrase to confirm their assets is a risky practice. Second, the website’s structure allows anyone to easily download all of its code. Combined with a fake website address, this makes it much simpler for attackers to create a convincing Coinbase phishing scam.

In a previous post on X, user im23pds pointed out that the webpage was created without much care. The team didn’t even bother to create a sitemap, which unfortunately makes it easier for others to duplicate the page’s design.

而且页面做的非常不讲究… sitemap 这种不设置就直接上线了:-) 👇

— 23pds (山哥) (@im23pds)

Source:  im23pds 

As a researcher, I’ve found the biggest risk isn’t a direct hack of Coinbase itself. Instead, attackers are tricking users into giving away their information. They do this by creating convincing, fake copies of legitimate Coinbase pages and then asking for a user’s seed phrase. Because the fake page looks so similar to the real one, users are often led to believe it’s safe and willingly hand over their sensitive data.

The Broader Pattern Here

This type of scam isn’t new for Coinbase. ZachXBT has reported before how criminals misuse the Coinbase name in social engineering attacks, often by pretending to be support staff and using fake channels to steal funds. This time, Coinbase’s own recovery page unintentionally makes it easier for scammers, as they don’t even need to pretend to be someone else.

The page remains live. Coinbase has not responded publicly to the concerns raised.

Read More

2026-03-19 21:42