Coinbase is directing some Commerce customers to a seed-phrase restoration stream forward of a March 31 migration deadline.
The difficulty sits inside Coinbase’s shutdown plan for legacy Commerce wallets. In its transition information, Coinbase says customers with funds in a Commerce pockets should withdraw them earlier than March 31, 2026, when the Commerce portal and withdrawal instrument will change into inaccessible.
For customers who backed up their pockets to Google Drive, Coinbase says they need to go to the Commerce dashboard, open Settings and Safety, reveal the 12-word seed phrase, and use the withdrawal instrument at withdraw.commerce.coinbase.com.
Coinbase says the method is particularly vital for retailers that acquired Bitcoin or different UTXO-based belongings as a result of balances could in any other case be arduous to floor in customary wallets.
A seed phrase is the grasp restoration key for a self-custody pockets. Coinbase’s personal pockets documentation describes it as a 12-word restoration phrase that solely the consumer has entry to.
Whoever controls that phrase controls entry to the pockets and its funds. Lose it, and entry to funds will be misplaced. Expose it, and funds within the pockets will be drained.
That’s the place the contradiction turns into arduous to overlook. Coinbase’s pockets steerage tells customers by no means to share a restoration phrase, says the agency won’t ever ask for it, and provides a separate warning: “By no means paste it into any web site.”
But the Commerce transition information tells some customers to disclose the identical phrase as a part of an official Coinbase-hosted restoration path.
The corporate’s clarification is that Commerce wallets are self-custodial, and Coinbase doesn’t have entry to the phrase or the funds, which leaves customers accountable for restoration earlier than the shutdown.
Safety researchers see a phishing template
Nonetheless, this Coinbase demand has rung the alarm bells for a lot of safety consultants, who’re criticizing the platform for the habits its web page teaches customers to simply accept.
Blockchain safety agency SlowMist founder Yu Xian stated he was puzzled that Coinbase would host a web page asking customers to enter a mnemonic phrase in plain textual content for asset restoration and stated the observe was so insecure that he first puzzled whether or not the subdomain had been hacked.
The warning sharpened the core criticism across the web page: an official model, an pressing deadline, and a seed-phrase workflow mix right into a format attackers repeatedly mimic.
In the meantime, SlowMist chief data safety officer 23pds wrote on X that there have been “two points” with the stream. First, he stated:
“Whereas the hyperlink is from the official Coinbase web site, straight asking customers to transmit their mnemonic phrase to confirm belongings is extraordinarily silly.”
Secondly, he famous that the location had a flawed sitemap that would let attackers copy the entrance finish and deploy a near-clone on a lookalike area, creating a powerful phishing lure for customers already primed to belief the Coinbase model.
Moreover, blockchain investigator ZachXBT additional pressed on that time much more straight. In a publish on X, he wrote:
“So principally Coinbase has an official web page reside risk actors can use to focus on Coinbase customers by way of seed phrase social engineering in the event that they needed?”
Their issues are unsurprising, contemplating phishing and social engineering scams stay one of the crucial potent assault vectors in opposition to the crypto business.
Final yr, ZachXBT revealed that Coinbase customers lose greater than $300 million yearly because of social engineering scams.
This captures why the Commerce stream has triggered such a powerful response. Safety groups have spent years educating customers that any request involving a seed phrase is the beginning of a rip-off.
Nevertheless, a Coinbase-owned web page dealing with the identical phrase may change the visible and behavioral cues customers have been taught to depend on.
Coinbase’s breach historical past hangs over the talk
In the meantime, the safety debate lands tougher as a result of Coinbase is already coping with the aftereffects of previous social-engineering incidents.
In Could 2025, Coinbase reported that cybercriminals bribed a bunch of abroad help brokers to steal buyer knowledge for social-engineering assaults.
The Brian Armstrong-led change stated the attackers obtained account knowledge for fewer than 1% of month-to-month transacting customers and used it to compile lists of shoppers they may contact, pretending to be from the platform.
The corporate stated no personal keys had been uncovered and pledged to reimburse prospects who had been tricked into sending funds to attackers.
Aside from that, the corporate additionally has an earlier breach report.
Coinbase stated in its 2024 annual report that in 2021, third events obtained login credentials and private data for at the least 6,000 prospects and used these particulars to use a vulnerability within the account restoration course of. The agency stated it reimbursed impacted prospects about $25.1 million.
That historical past raises the stakes round any official workflow that asks customers to deal with a seed phrase on a reside net web page.
Safety researchers warn that such a branded interface that normalizes seed-phrase entry will additional enhance phishing and impersonation assaults, which stay among the many business’s simplest assault strategies.