Update (March 20, 6:30 am UTC): Coinbase provided a statement that has been added to this report.
Security researchers flagged a Coinbase-related Commerce page after it appeared to instruct users to enter wallet recovery (seed) phrases — an action experts warn could normalize behavior exploited by phishing schemes. The issue drew widespread attention on social media when Yu Xian (Cos), founder of blockchain security firm SlowMist, posted about the page and questioned why Coinbase would ask users to paste plaintext mnemonic phrases for asset recovery.
Seed or recovery phrases grant full control of self-custody wallets and should never be shared with third parties, support agents, or untrusted websites. They are normally used only within trusted wallet recovery or import flows.
Coinbase told Cointelegraph the page and the related tool originated from its legacy Commerce product, which has been in sunset mode since March 2025 and is scheduled for full discontinuation on March 31, 2026. The company said it removed the tool from the site, is working on an updated solution for the small number of Commerce merchants still using it, and is migrating eligible merchant accounts to Coinbase Business. Coinbase emphasized that customer security and asset protection are top priorities and that customers’ funds remain secure.
Blockchain investigator ZachXBT noted the removed guide described an option for merchants to recover funds by importing a seed phrase into a compatible wallet such as Coinbase Wallet or MetaMask, and pointed to a withdrawal tool hosted on the same subdomain that prompted scrutiny. Coinbase’s help documentation clarifies that Commerce wallets are self-custodial, meaning Coinbase does not have access to merchants’ seed phrases and cannot recover funds if those phrases are lost.
Separately, Coinbase’s guidance elsewhere strongly warns users never to paste seed phrases into websites. The company has repeatedly cautioned that scammers impersonating customer support by phone or online are attempting to steal login credentials and verification codes, reminded users it will never proactively contact them, and directed users to its official support channels on X and Reddit.
This article follows Cointelegraph’s Editorial Policy and aims to present accurate, timely information; readers are encouraged to verify details independently.