Security researchers have raised alarms about an active Coinbase Commerce page that requires users to enter a 12-word seed phrase directly.
SlowMist’s founder, who uses the pseudonym Evilcos, posted a direct warning about the page, calling it an unsafe practice.
“I’m very puzzled why Coinbase would have such a page that directly asks users to enter their mnemonic phrase in plain text to recover assets. Such an unsafe practice is truly unbelievable…I almost thought the subdomain had been hacked,” he said.
Follow us on X to get the latest news as it happens
Blockchain investigator ZachXBT amplified the concern.
“So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?” he said.
For context, Social engineering scams are attacks where criminals manipulate people into revealing sensitive information or taking actions that compromise their security, rather than hacking systems directly. Instead of breaking through technical defenses, attackers exploit human psychology: trust, urgency, fear, or authority.
Coinbase is requiring users to move funds as it merges Commerce with Coinbase Business, with a March 31, 2026, deadline. It offers two withdrawal options. The first is a commerce withdrawal tool that consolidates funds into a single transaction. According to Coinbase, the tool handles the complexity of scanning a user’s Commerce addresses.
The exchange highlighted that this is the recommended method. Alternatively, users can use their seed phrase directly on the Coinbase page.
“If you have your seed phrase, you can import it into a compatible wallet (like Coinbase Wallet or MetaMask),” the blog read. “For many merchants, especially those who received payments in Bitcoin or other UTXO-based assets, we highly recommend using the Commerce withdrawal tool prior to March 31, 2026.”
In response to the concerns, Coinbase told BeInCrypto that it has removed the tool from its website.
“We are exploring an updated solution for the small number of Commerce merchant accounts who were still using it. The referenced tool is part of our legacy Commerce product, which is scheduled to be discontinued on March 31, 2026, and has been in sunset mode since March 2025. All eligible merchant accounts were in the process of being migrated to Coinbase Business—our comprehensive platform for modern enterprise crypto. The security of our customers and the protection of their assets is our top priority; all funds remain secure,” Coinbase spokesperson said in a statement.
