ZachXBT flags Coinbase Commerce recovery page asking users to enter their 12-word seed phrase, raising phishing and social engineering concerns.
A live page on Coinbase’s official domain is drawing security alarm from researchers. The page, hosted at withdraw.commerce.coinbase.com, asks users to enter a 12-word seed phrase as part of an asset recovery process tied to Coinbase Commerce. The exchange has not pulled the page down.
On-chain investigator ZachXBT raised the alarm on X, questioning whether Coinbase had thought through what a page like this could enable. “So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?” ZachXBT wrote. The post drew thousands of interactions almost immediately.
When an Official Page Becomes the Weapon
Security researcher evilcos flagged the same page earlier on X, saying the practice of asking users to input plaintext mnemonic phrases was simply hard to believe from a major exchange. The researcher said the subdomain initially looked like it had been compromised. It had not. The page is official.
The Coinbase Commerce help documentation, visible on the recovery page, explains the process. It tells merchants their funds may be spread across hundreds or even thousands of wallet addresses because Commerce generated a new address for every payment received. Importing the seed phrase into a standard wallet, it says, may not show the full balance. Standard wallets typically scan only the first 20 unused addresses. For Bitcoin and other UTXO-based assets, Coinbase directed users toward the withdrawal tool before March 31, 2026.
The documentation also instructs users on how to retrieve a seed phrase backed up to Google Drive, then enter it at the withdrawal tool. This is where researchers say the risk sits.
Two Separate Problems, One Very Dangerous Page
Security researcher im23pds posted on X breaking the concern into two distinct issues. First, even though the link originates from an official Coinbase domain, asking users to transmit their mnemonic phrase to verify assets is careless by any security standard. Second, the website has a flawed sitemap. Attackers could use tools like ResourcesSaver to download the front-end code entirely and deploy a near-identical copy. Pair that with a lookalike domain, and a Coinbase phishing campaign becomes significantly easier to run.
In a separate earlier post, im23pds noted on X that the page was built carelessly. The team launched it without even setting up a sitemap. That kind of oversight makes the page even more accessible to anyone wanting to copy its structure.
而且页面做的非常不讲究… sitemap 这种不设置就直接上线了:-)
👇 pic.twitter.com/wdzBOti5w8— 23pds (山哥) (@im23pds) March 19, 2026
Source: im23pds
The core danger is straightforward. Threat actors do not need to break into Coinbase systems. They point a user at a fake version of an already-existing official page that asks for a seed phrase. The user, conditioned by the real page, hands it over.
The Broader Pattern Here
This is not a new pattern for the exchange. ZachXBT has previously documented how bad actors exploit Coinbase’s brand in social engineering campaigns, using impersonation and fake support channels to drain wallets. The Commerce recovery page, in this case, does the groundwork for scammers without anyone having to impersonate a thing.
The page remains live. Coinbase has not responded publicly to the concerns raised.
