Coinbase instructs users to follow the same ‘foolish’ steps scammers use to withdraw funds from wallets
Coinbase is directing some Commerce users to a seed-phrase restoration stream forward of a March 31 migration deadline.
The difficulty sits inside Coinbase’s shutdown plan for legacy Commerce wallets. In its transition information, Coinbase says users with funds in a Commerce pockets should withdraw them earlier than March 31, 2026, when the Commerce portal and withdrawal software will turn into inaccessible.
For users who backed up their pockets to Google Drive, Coinbase says they need to go to the Commerce dashboard, open Settings and Security, reveal the 12-word seed phrase, and use the withdrawal software at withdraw.commerce.coinbase.com.
Coinbase says the course of is very necessary for retailers that obtained Bitcoin or different UTXO-based belongings as a result of balances might in any other case be exhausting to floor in normal wallets.
A seed phrase is the grasp restoration key for a self-custody pockets. Coinbase’s personal pockets documentation describes it as a 12-word restoration phrase that solely the consumer has entry to.
Whoever controls that phrase controls entry to the pockets and its funds. Lose it, and entry to funds might be misplaced. Expose it, and funds in the pockets might be drained.
That is the place the contradiction turns into exhausting to miss. Coinbase’s pockets guidance tells users by no means to share a restoration phrase, says the agency won’t ever ask for it, and provides a separate warning: “Never paste it into any web site.”
Yet the Commerce transition information tells some users to reveal the same phrase as a part of an official Coinbase-hosted restoration path.
The firm’s rationalization is that Commerce wallets are self-custodial, and Coinbase doesn’t have entry to the phrase or the funds, which leaves users answerable for restoration earlier than the shutdown.
Security researchers see a phishing template
Nonetheless, this Coinbase demand has rung the alarm bells for a lot of safety consultants, who’re criticizing the platform for the conduct its web page teaches users to settle for.
Blockchain safety agency SlowMist founder Yu Xian said he was puzzled that Coinbase would host a web page asking users to enter a mnemonic phrase in plain textual content for asset restoration and stated the observe was so insecure that he first puzzled whether or not the subdomain had been hacked.
The warning sharpened the core criticism round the web page: an official model, an pressing deadline, and a seed-phrase workflow mix right into a format attackers commonly mimic.
Meanwhile, SlowMist chief info safety officer 23pds wrote on X that there have been “two points” with the stream. First, he said:
“While the hyperlink is from the official Coinbase web site, immediately asking users to transmit their mnemonic phrase to confirm belongings is extraordinarily silly.”
Secondly, he famous that the website had a flawed sitemap that would let attackers copy the entrance finish and deploy a near-clone on a lookalike area, creating a powerful phishing lure for users already primed to belief the Coinbase model.
Additionally, blockchain investigator ZachXBT additional pressed on that time much more immediately. In a submit on X, he wrote:
“So mainly Coinbase has an official web page dwell risk actors can use to goal Coinbase users through seed phrase social engineering in the event that they wished?”
Their considerations are unsurprising, contemplating phishing and social engineering scams stay certainly one of the most potent attack vectors against the crypto industry.
Last 12 months, ZachXBT revealed that Coinbase users lose more than $300 million annually due to social engineering scams.
This captures why the Commerce stream has triggered such a powerful response. Security groups have spent years instructing users that any request involving a seed phrase is the begin of a rip-off.
However, a Coinbase-owned web page dealing with the same phrase might change the visible and behavioral cues users have been taught to depend on.
Coinbase’s breach historical past hangs over the debate
Meanwhile, the safety debate lands more durable as a result of Coinbase is already coping with the aftereffects of past social-engineering incidents.
In May 2025, Coinbase reported that cybercriminals bribed a bunch of abroad help brokers to steal customer data for social-engineering attacks.
The Brian Armstrong-led change stated the attackers obtained account knowledge for fewer than 1% of month-to-month transacting users and used it to compile lists of consumers they may contact, pretending to be from the platform.
The firm stated no personal keys have been uncovered and pledged to reimburse clients who have been tricked into sending funds to attackers.
Apart from that, the firm additionally has an earlier breach document.
Coinbase stated in its 2024 annual report that in 2021, third events obtained login credentials and private info for a minimum of 6,000 clients and used these particulars to exploit a vulnerability in the account restoration course of. The agency stated it reimbursed impacted clients about $25.1 million.
That historical past raises the stakes round any official workflow that asks users to deal with a seed phrase on a dwell internet web page.
Security researchers warn that such a branded interface that normalizes seed-phrase entry will additional enhance phishing and impersonation assaults, which stay amongst the trade’s best assault strategies.
The submit Coinbase instructs users to follow the same ‘foolish’ steps scammers use to withdraw funds from wallets appeared first on CryptoSlate.
