Coinbase is directing some Commerce customers to a seed-phrase restoration movement forward of a March 31 migration deadline.
The difficulty sits inside Coinbase’s shutdown plan for legacy Commerce wallets. In its transition information, Coinbase says customers with funds in a Commerce pockets should withdraw them earlier than March 31, 2026, when the Commerce portal and withdrawal software will grow to be inaccessible.
For customers who backed up their pockets to Google Drive, Coinbase says they need to go to the Commerce dashboard, open Settings and Safety, reveal the 12-word seed phrase, and use the withdrawal software at withdraw.commerce.coinbase.com.
Coinbase says the method is very essential for retailers that acquired Bitcoin or different UTXO-based belongings as a result of balances could in any other case be onerous to floor in customary wallets.
A seed phrase is the grasp restoration key for a self-custody pockets. Coinbase’s personal pockets documentation describes it as a 12-word restoration phrase that solely the person has entry to.
Whoever controls that phrase controls entry to the pockets and its funds. Lose it, and entry to funds may be misplaced. Expose it, and funds within the pockets may be drained.
That’s the place the contradiction turns into onerous to overlook. Coinbase’s pockets steering tells customers by no means to share a restoration phrase, says the agency won’t ever ask for it, and provides a separate warning: “By no means paste it into any web site.”
But the Commerce transition information tells some customers to disclose the identical phrase as a part of an official Coinbase-hosted restoration path.
The corporate’s clarification is that Commerce wallets are self-custodial, and Coinbase doesn’t have entry to the phrase or the funds, which leaves customers answerable for restoration earlier than the shutdown.
Safety researchers see a phishing template
Nonetheless, this Coinbase demand has rung the alarm bells for a lot of safety specialists, who’re criticizing the platform for the habits its web page teaches customers to simply accept.
Blockchain safety agency SlowMist founder Yu Xian mentioned he was puzzled that Coinbase would host a web page asking customers to enter a mnemonic phrase in plain textual content for asset restoration and mentioned the apply was so insecure that he first puzzled whether or not the subdomain had been hacked.
The warning sharpened the core criticism across the web page: an official model, an pressing deadline, and a seed-phrase workflow mix right into a format attackers usually mimic.
In the meantime, SlowMist chief info safety officer 23pds wrote on X that there have been “two points” with the movement. First, he mentioned:
“Whereas the hyperlink is from the official Coinbase web site, straight asking customers to transmit their mnemonic phrase to confirm belongings is extraordinarily silly.”
Secondly, he famous that the location had a flawed sitemap that would let attackers copy the entrance finish and deploy a near-clone on a lookalike area, creating a powerful phishing lure for customers already primed to belief the Coinbase model.
Moreover, blockchain investigator ZachXBT additional pressed on that time much more straight. In a put up on X, he wrote:
“So mainly Coinbase has an official web page dwell risk actors can use to focus on Coinbase customers through seed phrase social engineering in the event that they wished?”
Their considerations are unsurprising, contemplating phishing and social engineering scams stay one of the potent assault vectors in opposition to the crypto trade.
Final 12 months, ZachXBT revealed that Coinbase customers lose greater than $300 million yearly on account of social engineering scams.
This captures why the Commerce movement has triggered such a powerful response. Safety groups have spent years educating customers that any request involving a seed phrase is the beginning of a rip-off.
Nonetheless, a Coinbase-owned web page dealing with the identical phrase might change the visible and behavioral cues customers have been taught to depend on.
Coinbase’s breach historical past hangs over the talk
In the meantime, the safety debate lands tougher as a result of Coinbase is already coping with the aftereffects of previous social-engineering incidents.
In Might 2025, Coinbase reported that cybercriminals bribed a bunch of abroad help brokers to steal buyer knowledge for social-engineering assaults.
The Brian Armstrong-led alternate mentioned the attackers obtained account knowledge for fewer than 1% of month-to-month transacting customers and used it to compile lists of consumers they might contact, pretending to be from the platform.
The corporate mentioned no non-public keys have been uncovered and pledged to reimburse clients who have been tricked into sending funds to attackers.
Aside from that, the corporate additionally has an earlier breach file.
Coinbase mentioned in its 2024 annual report that in 2021, third events obtained login credentials and private info for a minimum of 6,000 clients and used these particulars to use a vulnerability within the account restoration course of. The agency mentioned it reimbursed impacted clients about $25.1 million.
That historical past raises the stakes round any official workflow that asks customers to deal with a seed phrase on a dwell net web page.
Safety researchers warn that such a branded interface that normalizes seed-phrase entry will additional enhance phishing and impersonation assaults, which stay among the many trade’s best assault strategies.
