Coinbase Subdomain Prompts Users to Enter Seed Phrases

Security researchers have raised concerns about a Coinbase-associated Commerce page that appeared to prompt users to enter wallet recovery phrases, warning that such a flow could normalize behavior commonly exploited in phishing scams.

The page has circulated widely on social media after being flagged by the founder of the blockchain security platform SlowMist, Yu Xian, widely known as Cos.

“I’m really puzzled why Coinbase would have a page like this, directly asking users to input their plaintext mnemonic phrases for asset recovery,” Yu wrote in an X post on Wednesday, adding: “Such an insecure practice is simply unbelievable.”

Coinbase has yet to address the issue publicly. The company told Cointelegraph it was looking into the matter and did not provide additional information. Cointelegraph also approached Yu Xian for comment, but had not received a response by publication.

Recovery phrases give full control over a self-custody wallet and should never be shared with third parties, customer support agents or untrusted websites. They are normally used only in trusted wallet recovery or import flows.

Coinbase referred to the subdomain as a commerce “withdrawal tool”

According to blockchain sleuth ZachXBT, the page in question was referenced in a Coinbase Help guide related to its Commerce product.

The guide, now appearing to have been removed, reportedly outlined an option for users to recover funds by importing their seed phrase into a compatible wallet such as Coinbase Wallet or MetaMask. It also directed users to a withdrawal tool hosted at the same subdomain that has drawn scrutiny.

The help documentation also emphasizes that Commerce wallets are self-custodial, meaning Coinbase does not have access to users’ seed phrases and cannot recover funds if they are lost.

Related: OpenClaw devs targeted by phishing scam promising free ‘CLAW’ tokens

“So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?” ZachXBT wrote on X.

Coinbase advises against pasting seed phrases into any website

It remains unclear whether the page in question was the result of a technical error or another issue on Coinbase’s side.

In another guide, Coinbase strongly advised users to never paste seed phrases into any website.

On Tuesday, Coinbase warned that scammers are posing as customer support over the phone or online to steal login information and verification codes. The company said it will never reach out, directing users to its official channels on X and Reddit.

Magazine: Bitcoin’s ‘narrative vacuum,’ Ethereum now inevitable: Trade Secrets