Experts Warn Coinbase Commerce Page Could Expose Users to Seed Phrase Scams

Highlights:

• ZachXBT and SlowMist flagged the Coinbase Commerce recovery page for seed phrase security risks.
• Researchers warned cloned pages could exploit users through highly convincing social engineering attacks.
• Coinbase’s 31 March migration deadline could make seed phrase phishing scams easier to trust.

Coinbase Commerce is facing fresh security questions after blockchain investigator ZachXBT and SlowMist raised concerns about a live recovery flow that asks users to enter a 12-word mnemonic phrase. The concern is not about a fake website pretending to be Coinbase. It is about a real Coinbase Commerce recovery page that, according to security researchers, could make social engineering attacks easier by making a risky habit look normal.

Coinbase Commerce Recovery Page Raises Security Concerns

A recovery page asks users to type in a 12-word phrase in plain text to regain access to funds. That has sparked concern because a seed phrase is the master key to a self-custody wallet. Coinbase’s own help pages say recovery phrases are private, only the user should know them, and Coinbase will never ask for or have access to them. ZachXBT said the page could give attackers a new way to trick users through social engineering. “So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?” he said.

So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted? pic.twitter.com/oLfBNrMrhp

— ZachXBT (@zachxbt) March 19, 2026

SlowMist researchers also raised the concern even further. They said attackers can use tools like ResourcesSaver to copy the page’s front-end code and create fake versions that look almost identical to the real one. If a phishing page closely matches the original design, many users may not spot the difference until their funds are already gone. SlowMist founder Evilcos said, “I’m very puzzled why Coinbase would have such a page that directly asks users to enter their mnemonic phrase in plain text to recover assets. Such an unsafe practice is truly unbelievable…I almost thought the subdomain had been hacked.” 

Coinbase Business Migration Deadline Adds to Phishing and Social Engineering Risks

The timing makes this issue more serious. Coinbase is moving Commerce users to Coinbase Business and says they must finish the switch by 31 March. After that, the Commerce portal will no longer work. Coinbase also says that if merchants still have money in a Commerce wallet, they need to withdraw it before the deadline.

The company adds that its Commerce withdrawal tool is the recommended method, especially for merchants who received Bitcoin and other UTXO-based coins. That has made the recovery-page debate more sensitive. Researchers argue that during a deadline-driven migration, a page asking users to type a 12-word phrase into a website could make phishing tricks easier to believe.

Phishing scams are fraud tricks where attackers pretend to be a trusted company or service. They use fake websites, emails, or messages to trick people into sharing private details or taking actions that steal funds.