Coinbase is directing some Commerce users to a recovery stream ahead of the March 31 migration deadline.
The issue is part of Coinbase’s shutdown plan for older Commerce wallets. In its transition guide, Coinbase says users with funds in a Commerce wallet will need to withdraw them by March 31, 2026, when the Commerce portal and withdrawal tool will become inaccessible.
For users who have backed up their wallets to Google Drive, Coinbase says they should go to the Commerce dashboard, open Settings and Security, reveal the 12-word seed phrase, and use the withdrawal tool at draw.commerce.coinbase.com.
Coinbase says the process is especially important for merchants who have received Bitcoin or other UTXO-based assets, as balances may otherwise be difficult to find in standard wallets.
A seed phrase is the master recovery key for a self-custodial wallet. Coinbase’s own wallet documentation describes it as a 12-word recovery phrase that only the user can access.
Whoever controls this phrase controls access to the wallet and its money. If you lose it, you may lose access to funds. Expose it and the money in the wallet can be emptied.
That’s where the contradiction is hard to miss. Coinbase’s wallet accompaniment tells users never to share a recovery phrase, says the company will never ask for it, and adds a separate warning: “Never post it on a website.”
Still, the Commerce transition guide tells some users to reveal the same phrase as part of an official Coinbase-hosted recovery path.
The company’s explanation is that Commerce wallets are self-custodial and Coinbase does not have access to the phrase or funds, making users responsible for recovery before closure.
Security researchers see a phishing template
Nevertheless, this requirement from Coinbase has raised alarm bells among many security experts, who criticize the platform for the behavior the page teaches users to accept.
Blockchain security company SlowMist founder Yu Xian said he was surprised that Coinbase would host a page asking users to enter a plaintext reminder for asset recovery, and said the practice was so insecure that he first wondered if the subdomain had been hacked.
The warning sharpened the core criticism of the page: an official brand, an urgent deadline, and a workflow with opening sentences combine to create a format that attackers regularly imitate.
Meanwhile, 23pds, SlowMist’s head of information security, wrote on X that there were “two problems” with the power. First of all, him said:
“Although the link comes from the official Coinbase website, it is extremely foolish to directly ask users to submit their reminder to verify assets.”
Second, he noted that the site had a flawed sitemap that allowed attackers to copy the front end and deploy a near-clone on a similar domain, creating a strong phishing appeal for users who were already ready to trust the Coinbase version.
In addition, blockchain researcher ZachXBT goes further pressed even more direct on that point. In a post on X he wrote:
“So basically Coinbase has an official page that live threat actors can use to target Coinbase users via social engineering if they want?”
Their concerns are not surprising, as phishing and social engineering scams remain one of the most powerful attack vectors against the crypto industry.
Last year, ZachXBT revealed that Coinbase users lose more than $300 million annually due to social engineering scams.
This shows why the trade flow has caused such a strong reaction. For years, security teams have taught users that any request containing a seed phrase is the start of a scam.
However, a Coinbase-owned page using the same phrase could change the visual and behavioral cues users should rely on.
Coinbase’s breach history hangs over the debate
Meanwhile, the security debate is heating up as Coinbase is already dealing with the aftereffects of previous social engineering incidents.
In May 2025, Coinbase reported that cybercriminals bribed a group of foreign support agents to steal customer data for social engineering attacks.
The Brian Armstrong-led exchange said the attackers obtained account details from less than 1% of monthly transactions and used it to build lists of customers to contact, pretending to be from the platform.
The company said no private keys had been exposed and promised to refund customers who were tricked into sending money to attackers.
Apart from that, the company also has a previous record of breaches.
Coinbase said this in its 2024 annual report report that third parties obtained login credentials and personal information of at least 6,000 customers in 2021 and used that data to exploit a vulnerability in the account recovery process. The company said it reimbursed affected customers about $25.1 million.
That history raises the stakes around any official workflow that asks users to process a seed phrase on a live web page.
Security researchers warn that such a branded interface that normalizes seed phrase input will further drive phishing and impersonation attacks, which remain among the most effective attack methods in the industry.