Coinbase is directing some Commerce users to a seed-phrase recovery flow ahead of a March 31 migration deadline.
The issue sits inside Coinbase’s shutdown plan for legacy Commerce wallets. In its transition guide, Coinbase says users with funds in a Commerce wallet must withdraw them before March 31, 2026, when the Commerce portal and withdrawal tool will become inaccessible.
For users who backed up their wallet to Google Drive, Coinbase says they should go to the Commerce dashboard, open Settings and Security, reveal the 12-word seed phrase, and use the withdrawal tool at withdraw.commerce.coinbase.com.
Coinbase says the process is especially important for merchants that received Bitcoin or other UTXO-based assets because balances may otherwise be hard to surface in standard wallets.
A seed phrase is the master recovery key for a self-custody wallet. Coinbase’s own wallet documentation describes it as a 12-word recovery phrase that only the user has access to.
Whoever controls that phrase controls access to the wallet and its funds. Lose it, and access to funds can be lost. Expose it, and funds in the wallet can be drained.
That is where the contradiction becomes hard to miss. Coinbase’s wallet guidance tells users never to share a recovery phrase, says the firm will never ask for it, and adds a separate warning: “Never paste it into any website.”
Yet the Commerce transition guide tells some users to reveal the same phrase as part of an official Coinbase-hosted recovery path.
The company’s explanation is that Commerce wallets are self-custodial, and Coinbase does not have access to the phrase or the funds, which leaves users responsible for recovery before the shutdown.
Security researchers see a phishing template
Nonetheless, this Coinbase demand has rung the alarm bells for many security experts, who are criticizing the platform for the behavior its page teaches users to accept.
Blockchain security firm SlowMist founder Yu Xian said he was puzzled that Coinbase would host a page asking users to enter a mnemonic phrase in plain text for asset recovery and said the practice was so insecure that he first wondered whether the subdomain had been hacked.
The warning sharpened the core criticism around the page: an official brand, an urgent deadline, and a seed-phrase workflow combine into a format attackers regularly mimic.
Meanwhile, SlowMist chief information security officer 23pds wrote on X that there were “two issues” with the flow. First, he said:
“While the link is from the official Coinbase website, directly asking users to transmit their mnemonic phrase to verify assets is extremely foolish.”
Secondly, he noted that the site had a flawed sitemap that could let attackers copy the front end and deploy a near-clone on a lookalike domain, creating a strong phishing lure for users already primed to trust the Coinbase version.
Additionally, blockchain investigator ZachXBT further pressed on that point even more directly. In a post on X, he wrote:
“So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?”
Their concerns are unsurprising, considering phishing and social engineering scams remain one of the most potent attack vectors against the crypto industry.
Last year, ZachXBT revealed that Coinbase users lose more than $300 million annually due to social engineering scams.
This captures why the Commerce flow has triggered such a strong reaction. Security teams have spent years teaching users that any request involving a seed phrase is the start of a scam.
However, a Coinbase-owned page handling the same phrase could change the visual and behavioral cues users have been taught to rely on.
Coinbase’s breach history hangs over the debate
Meanwhile, the security debate lands harder because Coinbase is already dealing with the aftereffects of past social-engineering incidents.
In May 2025, Coinbase reported that cybercriminals bribed a group of overseas support agents to steal customer data for social-engineering attacks.
The Brian Armstrong-led exchange said the attackers obtained account data for fewer than 1% of monthly transacting users and used it to compile lists of customers they could contact, pretending to be from the platform.
The company said no private keys were exposed and pledged to reimburse customers who were tricked into sending funds to attackers.
Apart from that, the company also has an earlier breach record.
Coinbase said in its 2024 annual report that in 2021, third parties obtained login credentials and personal information for at least 6,000 customers and used those details to exploit a vulnerability in the account recovery process. The firm said it reimbursed impacted customers about $25.1 million.
That history raises the stakes around any official workflow that asks users to handle a seed phrase on a live web page.
Security researchers warn that such a branded interface that normalizes seed-phrase entry will further boost phishing and impersonation attacks, which remain among the industry’s most effective attack methods.
