Coinbase's 'Legacy Recovery' Tool Gets a Security Audit from Twitter and Promptly Vanishes

On March 18, Cos, the founder of blockchain-security outfit SlowMist, spotted a Coinbase-hosted "legacy recovery" page that practically begged users to paste their sacred 12-word seed phrase in plain text. The page even suggested pulling it from a Google Drive backup, a move so risky it's like storing your house keys on a public bench. He posted screenshots of the commercial withdrawal interface, which immediately set the crypto-security community's alarm bells ringing at full volume.

On-chain detective ZachXBT swiftly pointed out that this official-domain page was a ready-made social-engineering kit for scammers. He dryly noted, "So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?" It was the perfect gift for phishers, wrapped in Coinbase's own branding.

SlowMist teammate 23pds added that the page lacked a proper sitemap and could be cloned with trivial effort, allowing attackers to replicate the interface on convincing look-alike domains. Meanwhile, X user Kieran argued the tool broke the cardinal, non-negotiable rule of never entering a recovery phrase on a website, potentially making future phishing lures far more believable. It was a masterclass in how to teach bad habits.

Coinbase's Alex replied that the tool had been taken offline and a new solution was being cooked up, thanking the community for holding the exchange to "the highest standards." A check of the URL now shows a simple "service unavailable, try again later" notice—the digital equivalent of a hastily drawn curtain after a embarrassing performance.

The episode highlights a broader shift in the crypto attack landscape. While February's total losses from scams and exploits reportedly fell by almost 87%, attackers have pivoted to targeting users directly instead of exploiting code. Phishing and misleading prompts are now the weapon of choice, making it crucial to eliminate any official foothold—like a seed-phrase-asking page—that could give social engineers a leg up. It's a reminder that in crypto, the front door needs to be as secure as the vault.