Coinbase Commerce Under Scrutiny
The cryptocurrency exchange Coinbase Commerce is facing intense scrutiny from cybersecurity experts due to a controversial withdrawal page that requests users to enter their 12-word recovery phrases directly into a web form. This alarming situation comes shortly before the service’s scheduled shutdown on March 31, 2026, leaving a limited timeframe for many merchants to withdraw their funds.
Controversial Withdrawal Page
The criticized page, found at withdraw.commerce.coinbase.com/seed-phrase, was highlighted in a Coinbase Commerce help document that has since been removed. It instructed users to recover their funds by importing these phrases into wallets compatible with their services, such as Coinbase Wallet or MetaMask.
Security Concerns
Yu Xian, the founder of SlowMist, expressed serious concerns regarding the security implications of this practice, underscoring that it reflects a disturbing lack of awareness about essential security protocols in the cryptocurrency industry.
Notably, the concept that a seed phrase, which serves as the master key to a user’s wallet, should never be entered on a website is foundational to online safety in crypto.
Potential for Phishing Attacks
ZachXBT, an on-chain investigator, corroborated these concerns, indicating that the page could become a target for social engineering attacks aimed at Coinbase users.
He mentioned that the sitemap of the withdrawal page has exploitable structural flaws, making it relatively straightforward for cybercriminals to create convincing phishing sites that mimic Coinbase. By using tools capable of downloading front-end code, attackers could replicate the page, increasing the potential for user deception, especially when combined with websites that mimic the Coinbase brand.
Risky Practices and Lack of Response
The issue is exacerbated by the advice provided on the page, which even suggested copying seed phrases from Google Drive, an unnecessary and risky practice that heightens vulnerability.
Given ZachXBT’s proven history of identifying security threats, including a previous incident in January 2026 that exposed a scam resulting in the loss of approximately $2 million in cryptocurrency, this latest warning carries significant weight.
Call for Action
Despite the growing backlash and requests for clarification, Coinbase has not yet issued a public response as of Thursday afternoon. Although the company has provided alternative methods for withdrawing funds that have been deemed safer by experts, the problematic seed phrase withdrawal page remains unchanged. With only twelve days left before the Commerce service ceases to operate, the pressure is mounting on Coinbase to address these critical security concerns to avert a potential phishing disaster at the expense of its user base and to protect its reputation as a leading figure in the cryptocurrency landscape.
