Coinbase is currently guiding some of its Commerce users through a seed-phrase recovery process in advance of a critical migration deadline set for March 31, 2026. This initiative is part of Coinbase’s efforts to phase out its legacy Commerce wallets. According to Coinbase’s transition guide, users with funds in these wallets are required to withdraw their assets before the deadline; otherwise, they will lose access to the Commerce portal and its withdrawal functionality.
For users who have previously backed up their wallets to Google Drive, Coinbase instructs them to navigate to the Commerce dashboard, access Settings and Security, and display their 12-word seed phrase to utilize the withdrawal tool at withdraw.commerce.coinbase.com. This step is particularly crucial for merchants who received Bitcoin or other UTXO-based assets, as balances might be difficult to retrieve in traditional wallets.
The seed phrase serves as the master recovery key for self-custody wallets. Coinbase emphasizes the importance of this phrase in its documentation, highlighting that it should remain private and secure, as whoever controls it has unrestricted access to the wallet and its funds. Conversely, revealing or losing it can lead to severe consequences, including the potential loss of funds.
This guidance, however, raises contradictions that have caused confusion among users. While Coinbase emphasizes the need to keep the recovery phrase secure and warns against sharing it or entering it on untrusted websites, the Commerce transition guide is instructing users to reveal the same information as part of an “official” Coinbase recovery process. The company explains that its Commerce wallets are self-custodial, indicating that it does not control the funds or the seed phrase, thus placing the onus on users for their own recovery.
The request has sparked alarm among security experts, who have criticized Coinbase’s approach as potentially harmful, teaching users to accept risky behaviors regarding their sensitive data. Yu Xian, founder of blockchain security firm SlowMist, expressed confusion over why Coinbase would stimulate such practices, suggesting that the request seemed insecure enough to raise suspicions of a potential hack.
Concerns were further compounded by additional issues identified with the recovery flow. The chief information security officer at SlowMist pointed out that while the links may originate from Coinbase, soliciting users to submit their mnemonic phrases directly is an unwise strategy. Furthermore, he flagged vulnerabilities in the site’s structure that could be exploited by attackers to create imitation domains for phishing scams, targeting users already conditioned to trust Coinbase.
ZachXBT, a blockchain investigator, echoed these concerns, questioning Coinbase’s decision to host a page that could easily be mimicked by malicious actors targeting users through seed phrase social engineering tactics. The crypto industry remains under constant threat from such scams. A report from last year indicated that Coinbase users were losing over $300 million annually due to social engineering schemes.
This situation has been met with particularly intense scrutiny due to Coinbase’s past security breaches. In May 2025, the company revealed that cybercriminals had bribed overseas support agents to obtain customer data for further social engineering attacks. Although Coinbase stated that the attack impacted less than 1% of its monthly users and assured customers that no private keys were compromised, it nevertheless committed to reimbursing those who fell victim to the scams.
Moreover, Coinbase’s 2024 annual report detailed a prior incident in 2021 where at least 6,000 customers had their login information and personal details compromised due to vulnerabilities in the account recovery process. This breach resulted in approximately $25.1 million in reimbursements to affected users.
Given this history, security experts are particularly concerned that the current workflow could exacerbate phishing and impersonation attempts, undermining years of efforts to educate users that requests involving seed phrases often signal the onset of scams. As this situation unfolds, the implications for user security and trust in the platform remain paramount.
