A page on an official Coinbase subdomain that prompts users to enter their mnemonic seed phrases in plain text to recover crypto assets has been flagged by blockchain security experts. 

Their main gripe with the Coinbase page setup is that it risks exposing users to textbook social engineering attacks, and that the exposure may already be in the hands of criminals.

The page was published as part of Coinbase Commerce’s wind-down process ahead of a March 31 deadline.

Coinbase draws ire for exposing customers to phishing threats

A Coinbase page was flagged publicly on March 19, 2026, by Yu Xian, known online as Evilcos, the founder of blockchain security firm SlowMist. 

Xian wrote on X while also sharing screenshots, “I’m really puzzled why Coinbase would have a page like this, directly asking users to input their plaintext mnemonic phrases for asset recovery? Such an insecure practice is simply unbelievable… I almost thought the subdomain had been hacked.”

The alarm is also coming at a sensitive period for Coinbase and some of its users, as its Commerce platform is in the final weeks of a shutdown, pushing thousands of merchants to recover funds urgently. 

This is precisely the kind of deadline pressure that makes users hasty and less careful about where they input credentials. 

There is also the option for users to copy the phrases that they saved on cloud storage services like Google Drive.

Coinbase’s own help documentation states that the company will never ask for or have access to a user’s recovery phrase, a principle the Commerce page appears to contradict directly.

How could this be exploited by attackers?

The concern among researchers runs beyond what Coinbase itself might do with the data. The page’s design, they say, provides a blueprint for fraud. 

23pds, Chief Information Security Officer at SlowMist, stated: “While the link is from the official Coinbase website, directly asking users to transmit their mnemonic phrase to verify assets is extremely foolish.”

23pds also added that another issue with the page is that “The website linked to has a flawed sitemap. Attackers could easily use tools like ResourcesSaver to download the front-end code and deploy a similar website. If this is combined with a similar domain like Coinbase for phishing attacks, users could easily fall for the scam.”

On-chain investigator ZachXBT, who has documented hundreds of millions of dollars in crypto theft linked to social engineering, was direct in his assessment. 

“So basically Coinbase has an official page live that threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?” he wrote. In a follow-up comment, he added, “Hopefully the team fixes and removes it as soon as possible.”

As of the time of publication, Coinbase had not made any statements addressing the issue or removed the page.

Has Coinbase or its users been exploited before?

Coinbase has been criticized in the past over its handling of social engineering threats targeting its customers. 

In February 2025, ZachXBT reported that users had lost more than $65 million to such attacks in just two months, part of what he estimated to be a $300 million annual drain. The investigator identified patterns in which fraudsters impersonated Coinbase support staff and used cloned admin panels to automate attacks in real time.

A few months later, in May 2025, there was a data breach that exposed the personal data for a subset of users. Coinbase confirmed that the breach happened as a result of criminals bribing overseas support agents. 

The company terminated the staff involved, notified regulators, and offered affected users a year of credit monitoring. It also set aside between $180 million and $400 million to cover remediation costs and voluntary customer reimbursements and announced a $20 million reward for information leading to arrests. 

The current Commerce page may be seen as low-hanging fruit for bad actors right now, and the recent alarm by Evilcos should prompt the exchange to take urgent actions to mitigate any future exploit.

If you’re reading this, you’re already ahead. Stay there with our newsletter.