A feature on a Coinbase official subdomain has recently drawn significant attention and concern from blockchain security experts. The page requires users to input their seed phrases in plain text to recover crypto assets, a design widely criticized for potentially exposing users to typical social engineering attacks and possibly falling into the hands of malicious actors.
This page was part of the finalization efforts for Coinbase Commerce's business before the March 31st deadline. Security researchers, including Yu Xian (online alias Evilcos), founder of the renowned blockchain security firm SlowMist, publicly highlighted the issue on March 19, 2026.
The alert is particularly noteworthy given the sensitive timing for Coinbase and some of its users. With the Coinbase Commerce platform shutting down, thousands of merchants are rushing to retrieve their funds. This pressure from an urgent deadline creates a fertile ground for users to become careless and hastily enter sensitive credentials. Furthermore, the page offers the option to copy and paste seed phrases saved on cloud storage services like Google Drive.
Notably, Coinbase's own help documentation explicitly states that the company will never ask for or access users' recovery phrases. However, the design of this Commerce page appears to directly contradict this core security principle.
Security Vulnerabilities and Potential Attack Vectors
Researchers' concerns extend beyond how Coinbase might handle this data to the page's design itself, which they believe provides a "blueprint" for fraudulent activities.
Security researcher 23pds added that another potential issue with the page is its "flawed sitemap linking to the website." He explained that attackers could easily use tools like ResourcesSaver to download the frontend code and deploy a similar website. When combined with a phishing attack mimicking a Coinbase domain, users would be highly susceptible to deception.
"So basically Coinbase has an official page live that threat actors can leverage for seed phrase social engineering against Coinbase users?" one researcher wrote on social media. He added, "Hope the team fixes and removes it ASAP."
As of press time, Coinbase has not issued any statement on the matter, nor has the page been removed.
Past Incidents of Coinbase and User Attacks
Coinbase has previously faced criticism for its handling of phishing threats targeting its customers.
In February 2025, investigative reporter ZachXBT reported that users lost over $65 million to such attacks in just two months, a fraction of his estimated $300 million in annual losses. The reporter pointed out that fraudsters often impersonate Coinbase customer support and use fake admin panels to automate attacks in real-time.
In response to previous incidents, Coinbase terminated implicated employees, notified regulators, and offered affected users one year of credit monitoring services. Additionally, the company set aside $180 million to $400 million for compensation and customer refunds and offered a $20 million reward for information leading to the capture of perpetrators.