Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / BlockNinjaX /
Coinbase Faces Backlash Over Page Prompting Users to Enter Seed Phrases Amid Phishing Concerns

Coinbase Faces Backlash Over Page Prompting Users to Enter Seed Phrases Amid Phishing Concerns

Author:
BlockNinjaX
Published:
2026-03-20 04:39:02
18
2


Coinbase, one of the largest cryptocurrency exchanges, is under fire after security experts flagged a page on its official subdomain that asks users to input their seed phrases in plaintext—a practice widely condemned as a major security risk. The page, linked to Coinbase Commerce's wind-down process, has raised alarms about potential phishing exploits, especially as users scramble to recover funds before the March 31 deadline. Here’s a deep dive into the controversy, its implications, and why this could be a goldmine for scammers.

Why Is Coinbase Being Criticized for This Page?

A Coinbase subdomain page, discovered on March 19, 2026, by blockchain security expert Yu Xian (aka Evilcos), openly prompts users to enter their recovery phrases to "restore crypto assets." Xian, founder of SlowMist, called out the design on social media, stating, "I’m baffled why Coinbase WOULD have such a page. Asking users to input seed phrases in plaintext is incredibly unsafe—I initially thought the subdomain was hacked." The timing couldn’t be worse, as Coinbase Commerce’s impending shutdown has left thousands of merchants racing against the clock to withdraw funds, making them more susceptible to rushed decisions.

How Could Attackers Exploit This Vulnerability?

Security analysts warn that the page’s design is a blueprint for fraud. SlowMist’s CISO, 23pds, noted that the flawed sitemap allows attackers to easily clone the frontend code using tools like ResourcesSaver. Pair this with a phishing domain mimicking Coinbase, and unsuspecting users could hand over their seed phrases to criminals. On-chain investigator ZachXBT didn’t mince words: "Coinbase basically created an official page that attackers can use for social engineering? Hopefully, they fix this ASAP." As of March 20, 2026, Coinbase hasn’t commented or taken the page down.

Has Coinbase or Its Users Been Exploited Before?

Unfortunately, yes. In February 2025, ZachXBT reported that users lost over $65 million in just two months to social engineering scams—part of an estimated $300 million annual damage. Scammers posed as Coinbase support agents, using cloned admin panels to automate attacks. Months later, in May 2025, a data leak exposed personal details of some users, later traced to bribed offshore support staff. Coinbase fired those involved, offered credit monitoring, and set aside $180–400 million for remediation. This latest slip-up with the seed phrase page adds fuel to the fire, especially amid heightened phishing risks.

What’s the Bigger Picture Here?

This incident highlights a recurring theme: even major exchanges struggle with security hygiene. While Coinbase’s help docs explicitly state they’ll "never ask for recovery phrases," the Commerce page contradicts that. For users, the lesson is clear: never enter seed phrases outside trusted wallets. For Coinbase, it’s a wake-up call to audit every subdomain—before criminals do.

FAQs

What’s the issue with Coinbase’s seed phrase page?

The page asks users to input recovery phrases in plaintext, violating basic security principles and exposing them to phishing.

Why is this particularly dangerous now?

With Coinbase Commerce shutting down by March 31, 2026, users are under pressure to recover funds quickly, making them prone to mistakes.

Has Coinbase responded to the criticism?

As of March 20, 2026, Coinbase hasn’t addressed the issue or removed the page.

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2026 BTCC.com. All rights reserved

All articles reposted on this platform are sourced from public networks and are intended solely for the purpose of disseminating industry information. They do not represent any official stance of BTCC. All intellectual property rights belong to their original authors. If you believe any content infringes upon your rights or is suspected of copyright violation, please contact us at [email protected]. We will address the matter promptly and in accordance with applicable laws.BTCC makes no explicit or implied warranties regarding the accuracy, timeliness, or completeness of the republished information and assumes no direct or indirect liability for any consequences arising from reliance on such content. All materials are provided for industry research reference only and shall not be construed as investment, legal, or business advice. BTCC bears no legal responsibility for any actions taken based on the content provided herein.