ZachXBT flags Coinbase Commerce restoration web page asking customers to enter their 12-word seed phrase, elevating phishing and social engineering issues.
A reside web page on Coinbase’s official area is drawing safety alarm from researchers. The web page, hosted at withdraw.commerce.coinbase.com, asks customers to enter a 12-word seed phrase as a part of an asset restoration course of tied to Coinbase Commerce. The alternate has not pulled the web page down.
On-chain investigator ZachXBT raised the alarm on X, questioning whether or not Coinbase had thought by means of what a web page like this might allow. “So principally Coinbase has an official web page reside risk actors can use to focus on Coinbase customers by way of seed phrase social engineering in the event that they needed?” ZachXBT wrote. The submit drew 1000’s of interactions nearly instantly.
When an Official Web page Turns into the Weapon
Safety researcher evilcos flagged the identical web page earlier on X, saying the observe of asking customers to enter plaintext mnemonic phrases was merely laborious to consider from a significant alternate. The researcher stated the subdomain initially seemed prefer it had been compromised. It had not. The web page is official.
The Coinbase Commerce assist documentation, seen on the restoration web page, explains the method. It tells retailers their funds could also be unfold throughout a whole lot and even 1000’s of pockets addresses as a result of Commerce generated a brand new handle for each cost obtained. Importing the seed phrase into a normal pockets, it says, could not present the complete stability. Commonplace wallets sometimes scan solely the primary 20 unused addresses. For Bitcoin and different UTXO-based property, Coinbase directed customers towards the withdrawal instrument earlier than March 31, 2026.
The documentation additionally instructs customers on the best way to retrieve a seed phrase backed as much as Google Drive, then enter it on the withdrawal instrument. That is the place researchers say the danger sits.
Two Separate Issues, One Very Harmful Web page
Safety researcher im23pds posted on X breaking the priority into two distinct points. First, though the hyperlink originates from an official Coinbase area, asking customers to transmit their mnemonic phrase to confirm property is careless by any safety normal. Second, the web site has a flawed sitemap. Attackers may use instruments like ResourcesSaver to obtain the front-end code totally and deploy a near-identical copy. Pair that with a lookalike area, and a Coinbase phishing marketing campaign turns into considerably simpler to run.
In a separate earlier submit, im23pds famous on X that the web page was constructed carelessly. The workforce launched it with out even organising a sitemap. That sort of oversight makes the web page much more accessible to anybody wanting to repeat its construction.
而且页面做的非常不讲究… sitemap 这种不设置就直接上线了:-)
👇 pic.twitter.com/wdzBOti5w8— 23pds (山哥) (@im23pds) March 19, 2026
Supply: im23pds
The core hazard is simple. Menace actors don’t want to interrupt into Coinbase programs. They level a person at a pretend model of an already-existing official web page that asks for a seed phrase. The person, conditioned by the actual web page, arms it over.
The Broader Sample Right here
This isn’t a brand new sample for the alternate. ZachXBT has beforehand documented how unhealthy actors exploit Coinbase’s model in social engineering campaigns, utilizing impersonation and pretend help channels to empty wallets. The Commerce restoration web page, on this case, does the groundwork for scammers with out anybody having to impersonate a factor.
The web page stays reside. Coinbase has not responded publicly to the issues raised.