Investigators Flag Coinbase Page Questioning Seed Phrases, Tool Removed

Beyond the official page itself, experts have warned that it does not have a proper sitemap, making it easy to integrate and use weapons on visible domains.

Coinbase has taken down a newly flagged “inheritance” tool after on-chain investigators warned that it could be used to trick users into giving up their seed phrases.

The episode also raised concerns about how hardware design choices may conflict with long-standing security practices.

Security Concerns With Coinbase Refund Page

It all started on March 18, when Cos, the founder of SlowMist, a blockchain security company, asked why a page hosted by Coinbase asked users to type their 12-word recovery phrases in clear text. Cos shared screenshots showing the Coinbase Commercial withdrawal interface that required people to paste their mnemonic phrase while suggesting they retrieve it from Google Drive backups.

Soon after, the well-known on-chain investigator ZachXBT posted that this page could be used by attackers as a social engineering tool, because it was hosted on the official Coinbase domain.

“So basically Coinbase has an official page that threat actors can use to target Coinbase users by using a social engineering letter phrase if they want to?” he asked.

Another member of the SlowMist team, 23pds, pointed out technical errors on the page, saying it did not have a proper sitemap and could easily be compiled. They added that attackers can copy the interface and use domains that look like it to trick people into giving them sensitive information.

There were also concerns over the dangers of cloning, with one X user, who goes by Kieran, arguing that the main problem was morality. They say this tool goes against the widely taught security rules in crypto, which is to never share or post a recovery phrase on a website. The presence of these requirements on official pages, according to them, can make phishing attempts more successful.

Alex, a team member at Coinbase, responded that they have removed the tool and are actively developing a new solution.

You may also like:

“We thank all of you who raise this and hold us to high standards,” they added.

At the time of writing, a check on the page showed that it had indeed been taken down, with a simple message informing users that the service was unavailable and that they should try again later.

The Dangers of Social Engineering

The concerns raised by ZachXBT and the SlowMist team are not in vain. Recent data shows that there is a change in the way bad actors are conducting crypto-related attacks today.

According to the on-chain security company Nominis, in February, total losses related to cryptocurrency scams and exploitation decreased by almost 87%. But more importantly, Nominis pointed out that attackers are now more likely to target users instead of exploiting code.

The company noted that recent incidents have relied more on phishing and misinformation rather than technical vulnerabilities. And as these programs become more common, it’s important to deny attackers the kind of profit ZachXBT believes events like Coinbase’s recovery tool could have given them.