Coinbase Commerce has alarmed the crypto security community after a subdomain page asked merchants to enter their 12‑word seed phrases directly into a web form — a practice security experts say normalizes one of the riskiest behaviors in crypto just days before the product’s March 31 shutdown.
What happened
A page hosted at withdraw.commerce.coinbase.com/seed-phrase was discovered prompting users to paste their mnemonic (recovery) phrases in plain text. That page was referenced in a now‑deleted Coinbase Commerce help document that directed merchants to recover funds by importing their seed phrases into compatible wallets such as Coinbase Wallet or MetaMask. The timing is especially sensitive: Coinbase is winding down Commerce and funneling merchants into Coinbase Business, meaning tens of thousands of users have a limited window to withdraw funds.
Why experts are furious
Security researchers say the page creates an obvious and dangerous precedent. SlowMist founder Yu Xian (known as Cos) called the practice an “unbelievable lack of security awareness” after receiving multiple user reports. On‑chain investigator ZachXBT warned the page creates a ready attack surface for social‑engineering campaigns aimed at Coinbase users.
Beyond the single page, SlowMist’s chief information security officer (23pds) highlighted structural issues in the page’s sitemap that make it trivial to clone. Tools like ResourcesSaver can download front‑end code so attackers can spin up visually identical phishing sites—especially when paired with Coinbase‑lookalike domains—making deception feasible even for experienced users.
The deeper risk: normalization
Every major crypto security rule is based on one non‑negotiable principle: never type your seed phrase into a website, form, or app. Seed phrases are the master keys to wallets; anyone who has them controls the funds. By publishing a workflow that asks users to enter phrases in a browser, Coinbase — whether through oversight or poor design — risks conditioning users to accept behavior scammers exploit. Researchers also flagged that the tool suggested copying phrases from Google Drive as an intermediate step, which compounds exposure.
Context and precedent
ZachXBT’s warning carries weight: in January 2026 he exposed a Coinbase support impersonation scam that led to roughly $2 million in stolen crypto. That scheme relied on users trusting Coinbase‑branded interfaces. Security researchers fear the Commerce seed phrase page could serve as a template for a far larger follow‑on attack.
Coinbase’s response (so far)
As of Thursday, Coinbase had not publicly responded to requests for comment about the seed‑phrase page. The company has offered alternative withdrawal methods — including a separate commerce withdrawal tool that researchers consider safer — but it has not removed or modified the seed phrase page referenced in the help article.
Why this matters
With a hard March 31 deadline to wind down Commerce, the clock is running on a mass migration of merchant funds. For the highest‑profile public company in crypto, the reputational and financial stakes are enormous: a mass phishing event triggered by its own migration tooling would be catastrophic for merchants and the exchange’s trustworthiness.
What to watch
Security teams and affected merchants will be watching whether Coinbase takes immediate action to remove or rework the page and improve guidance for safe withdrawals. Meanwhile, users should adhere to the basic rule: never enter your seed phrase into a website — instead use trusted wallet apps and verified workflows for migrations and withdrawals.
Read more AI-generated news on: undefined/news
