Coinbase is directing some Commerce customers to a seed-phrase restoration move forward of a March 31 migration deadline.
The difficulty sits inside Coinbase’s shutdown plan for legacy Commerce wallets. In its transition information, Coinbase says customers with funds in a Commerce pockets should withdraw them earlier than March 31, 2026, when the Commerce portal and withdrawal device will turn out to be inaccessible.
For customers who backed up their pockets to Google Drive, Coinbase says they need to go to the Commerce dashboard, open Settings and Safety, reveal the 12-word seed phrase, and use the withdrawal device at withdraw.commerce.coinbase.com.
Coinbase says the method is very essential for retailers that obtained Bitcoin or different UTXO-based belongings as a result of balances might in any other case be exhausting to floor in commonplace wallets.
A seed phrase is the grasp restoration key for a self-custody pockets. Coinbase’s personal pockets documentation describes it as a 12-word restoration phrase that solely the consumer has entry to.
Whoever controls that phrase controls entry to the pockets and its funds. Lose it, and entry to funds could be misplaced. Expose it, and funds within the pockets could be drained.
That’s the place the contradiction turns into exhausting to overlook. Coinbase’s pockets steerage tells customers by no means to share a restoration phrase, says the agency won’t ever ask for it, and provides a separate warning: “By no means paste it into any web site.”
But the Commerce transition information tells some customers to disclose the identical phrase as a part of an official Coinbase-hosted restoration path.
The corporate’s clarification is that Commerce wallets are self-custodial, and Coinbase doesn’t have entry to the phrase or the funds, which leaves customers chargeable for restoration earlier than the shutdown.
Safety researchers see a phishing template
Nonetheless, this Coinbase demand has rung the alarm bells for a lot of safety specialists, who’re criticizing the platform for the conduct its web page teaches customers to simply accept.
Blockchain safety agency SlowMist founder Yu Xian stated he was puzzled that Coinbase would host a web page asking customers to enter a mnemonic phrase in plain textual content for asset restoration and stated the apply was so insecure that he first questioned whether or not the subdomain had been hacked.
The warning sharpened the core criticism across the web page: an official model, an pressing deadline, and a seed-phrase workflow mix right into a format attackers commonly mimic.
In the meantime, SlowMist chief info safety officer 23pds wrote on X that there have been “two points” with the move. First, he stated:
“Whereas the hyperlink is from the official Coinbase web site, straight asking customers to transmit their mnemonic phrase to confirm belongings is extraordinarily silly.”
Secondly, he famous that the positioning had a flawed sitemap that would let attackers copy the entrance finish and deploy a near-clone on a lookalike area, creating a powerful phishing lure for customers already primed to belief the Coinbase model.
Moreover, blockchain investigator ZachXBT additional pressed on that time much more straight. In a publish on X, he wrote:
“So mainly Coinbase has an official web page dwell risk actors can use to focus on Coinbase customers by way of seed phrase social engineering in the event that they wished?”
Their considerations are unsurprising, contemplating phishing and social engineering scams stay one of the crucial potent assault vectors towards the crypto trade.
Final 12 months, ZachXBT revealed that Coinbase customers lose greater than $300 million yearly resulting from social engineering scams.
This captures why the Commerce move has triggered such a powerful response. Safety groups have spent years instructing customers that any request involving a seed phrase is the beginning of a rip-off.
Nonetheless, a Coinbase-owned web page dealing with the identical phrase may change the visible and behavioral cues customers have been taught to depend on.
Coinbase’s breach historical past hangs over the controversy
In the meantime, the safety debate lands tougher as a result of Coinbase is already coping with the aftereffects of previous social-engineering incidents.
In Might 2025, Coinbase reported that cybercriminals bribed a bunch of abroad help brokers to steal buyer information for social-engineering assaults.
The Brian Armstrong-led trade stated the attackers obtained account information for fewer than 1% of month-to-month transacting customers and used it to compile lists of shoppers they might contact, pretending to be from the platform.
The corporate stated no personal keys had been uncovered and pledged to reimburse prospects who had been tricked into sending funds to attackers.
Other than that, the corporate additionally has an earlier breach report.
Coinbase stated in its 2024 annual report that in 2021, third events obtained login credentials and private info for at the very least 6,000 prospects and used these particulars to use a vulnerability within the account restoration course of. The agency stated it reimbursed impacted prospects about $25.1 million.
That historical past raises the stakes round any official workflow that asks customers to deal with a seed phrase on a dwell internet web page.
Safety researchers warn that such a branded interface that normalizes seed-phrase entry will additional increase phishing and impersonation assaults, which stay among the many trade’s best assault strategies.
