Coinbase is directing some Commerce customers to a seed-phrase restoration circulate forward of a March 31 migration deadline.
The problem sits inside Coinbase’s shutdown plan for legacy Commerce wallets. In its transition information, Coinbase says customers with funds in a Commerce pockets should withdraw them earlier than March 31, 2026, when the Commerce portal and withdrawal instrument will grow to be inaccessible.
For customers who backed up their pockets to Google Drive, Coinbase says they need to go to the Commerce dashboard, open Settings and Safety, reveal the 12-word seed phrase, and use the withdrawal instrument at withdraw.commerce.coinbase.com.
Coinbase says the method is particularly vital for retailers that acquired Bitcoin or different UTXO-based property as a result of balances could in any other case be laborious to floor in customary wallets.
A seed phrase is the grasp restoration key for a self-custody pockets. Coinbase’s personal pockets documentation describes it as a 12-word restoration phrase that solely the person has entry to.
Whoever controls that phrase controls entry to the pockets and its funds. Lose it, and entry to funds could be misplaced. Expose it, and funds within the pockets could be drained.
That’s the place the contradiction turns into laborious to overlook. Coinbase’s pockets steerage tells customers by no means to share a restoration phrase, says the agency won’t ever ask for it, and provides a separate warning: “By no means paste it into any web site.”
But the Commerce transition information tells some customers to disclose the identical phrase as a part of an official Coinbase-hosted restoration path.
The corporate’s clarification is that Commerce wallets are self-custodial, and Coinbase doesn’t have entry to the phrase or the funds, which leaves customers liable for restoration earlier than the shutdown.
Safety researchers see a phishing template
Nonetheless, this Coinbase demand has rung the alarm bells for a lot of safety specialists, who’re criticizing the platform for the conduct its web page teaches customers to just accept.
Blockchain safety agency SlowMist founder Yu Xian stated he was puzzled that Coinbase would host a web page asking customers to enter a mnemonic phrase in plain textual content for asset restoration and stated the observe was so insecure that he first questioned whether or not the subdomain had been hacked.
The warning sharpened the core criticism across the web page: an official model, an pressing deadline, and a seed-phrase workflow mix right into a format attackers recurrently mimic.
In the meantime, SlowMist chief info safety officer 23pds wrote on X that there have been “two points” with the circulate. First, he stated:
“Whereas the hyperlink is from the official Coinbase web site, straight asking customers to transmit their mnemonic phrase to confirm property is extraordinarily silly.”
Secondly, he famous that the positioning had a flawed sitemap that might let attackers copy the entrance finish and deploy a near-clone on a lookalike area, creating a powerful phishing lure for customers already primed to belief the Coinbase model.
Moreover, blockchain investigator ZachXBT additional pressed on that time much more straight. In a submit on X, he wrote:
“So principally Coinbase has an official web page reside risk actors can use to focus on Coinbase customers through seed phrase social engineering in the event that they wished?”
Their considerations are unsurprising, contemplating phishing and social engineering scams stay some of the potent assault vectors towards the crypto trade.
Final yr, ZachXBT revealed that Coinbase customers lose greater than $300 million yearly resulting from social engineering scams.
This captures why the Commerce circulate has triggered such a powerful response. Safety groups have spent years instructing customers that any request involving a seed phrase is the beginning of a rip-off.
Nonetheless, a Coinbase-owned web page dealing with the identical phrase might change the visible and behavioral cues customers have been taught to depend on.
Coinbase’s breach historical past hangs over the controversy
In the meantime, the safety debate lands more durable as a result of Coinbase is already coping with the aftereffects of previous social-engineering incidents.
In Might 2025, Coinbase reported that cybercriminals bribed a bunch of abroad assist brokers to steal buyer knowledge for social-engineering assaults.
The Brian Armstrong-led trade stated the attackers obtained account knowledge for fewer than 1% of month-to-month transacting customers and used it to compile lists of consumers they may contact, pretending to be from the platform.
The corporate stated no non-public keys had been uncovered and pledged to reimburse prospects who had been tricked into sending funds to attackers.
Aside from that, the corporate additionally has an earlier breach document.
Coinbase stated in its 2024 annual report that in 2021, third events obtained login credentials and private info for not less than 6,000 prospects and used these particulars to take advantage of a vulnerability within the account restoration course of. The agency stated it reimbursed impacted prospects about $25.1 million.
That historical past raises the stakes round any official workflow that asks customers to deal with a seed phrase on a reside net web page.
Safety researchers warn that such a branded interface that normalizes seed-phrase entry will additional enhance phishing and impersonation assaults, which stay among the many trade’s handiest assault strategies.
