Coinbase Commerce Exit Turns Risky as Users Directed to Enter Sensitive Recovery Phrases on Official Subdomain

The Digital Key Left Under The Mat

The cardinal rule of cryptocurrency is simple: never share your 12-word seed phrase.

This string of words acts as the master key to a user's entire digital fortune, and every security guide in the industry warns that entering these words into a website is the fastest way to lose everything.

However, as Coinbase prepares to shutter its Commerce product by 31 March 2026, the company has introduced a recovery tool that asks users to do exactly that.

By hosting a web form that prompts merchants to type their plaintext mnemonic phrases directly into a browser, the exchange has created a security dilemma that experts say contradicts years of basic safety education.

Why Are Security Experts Raising The Alarm

The controversy gained momentum after SlowMist founder Yu Xian, known as Cos, flagged the subdomain.

He expressed total disbelief that a major platform would facilitate such a risky workflow.

Yu Xian posted on X,

“I’m really puzzled why Coinbase would have a page like this, directly asking users to input their plaintext mnemonic phrases for asset recovery.”

He calls the practice “simply unbelievable.”

Source: X

The concern is that by making this a legitimate step in their own migration process, Coinbase is teaching users that pasting a seed phrase into a website is acceptable.

This normalisation of risky behaviour plays directly into the hands of scammers who use identical tactics to drain wallets.

Is This A Gift To Social Engineering Scammers

On-chain investigator ZachXBT was quick to point out that the existence of an official Coinbase page asking for seed phrases provides the perfect cover for criminals.

He questioned the logic behind the move, asking,

“So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?”

The danger is heightened by the looming 31 March 2026 deadline.

Source: X

With tens of thousands of merchants rushing to move funds before the platform is retired, their psychological guard is lowered.

If an attacker sends a link to a fake version of this page, a merchant might enter their keys without a second thought, believing they are simply following official Coinbase instructions.

Can This Tool Be Easily Cloned By Attackers

The technical flaws extend beyond the input field itself.

SlowMist’s Chief Information Security Officer, 23pds, noted that the site’s structure is surprisingly easy to copy.

Using basic software like ResourcesSaver, a hacker can download the front-end code and host a visually perfect replica on a lookalike domain.

Because the real Coinbase tool even suggests that users sign into Google Drive to copy and paste their phrases, the workflow encourages multiple layers of digital exposure.

Source: X

If a user has a compromised browser extension or is on an unsecure network, those 12 words are intercepted the moment they are typed, leading to an irreversible loss of funds.

How Can Merchants Protect Their Assets Safely

While Coinbase has told media outlets it is looking into the matter, it has yet to issue a wide-reaching public statement to address the specific criticisms from researchers.

However, as of writing, the page has now been disabled.

For business owners with funds still tied to the old Commerce platform, the safest route is to avoid the web-based seed phrase input entirely.

Experts suggest importing the recovery phrase directly into a trusted, standalone application like Coinbase Wallet or MetaMask on a secure device, rather than through a browser-based form.

This ensures the master key never touches a web interface, maintaining the wall between a user's life savings and the open internet.

What Are The Stakes For Coinbase Reputation

This incident comes at a difficult time for the exchange, which is currently consolidating its services under the Coinbase Business banner.

The company has previously been very vocal about security, even warning users that scammers often pose as support agents to steal login data.

In December 2025, a support impersonation scam already cost users $2 million, proving how effective these branded attacks can be.

If a mass phishing event occurs because users were following a path created by the exchange itself, the reputational damage to the industry's most prominent public company would be immense.

With only days left until the final shutdown, the community is waiting to see if the tool will be replaced with a more secure alternative.