Coinbase is directing some Commerce users to a seed-phrase recovery flow ahead of a March 31 migration deadline.

The issue sits inside Coinbase’s shutdown plan for legacy Commerce wallets. In its transition guide, Coinbase says users with funds in a Commerce wallet must withdraw them before March 31, 2026, when the Commerce portal and withdrawal tool will become inaccessible.

For users who backed up their wallet to Google Drive, Coinbase says they should go to the Commerce dashboard, open Settings and Security, reveal the 12-word seed phrase, and use the withdrawal tool at withdraw.commerce.coinbase.com.

Coinbase says the process is especially important for merchants that received Bitcoin or other UTXO-based assets because balances may otherwise be hard to surface in standard wallets.

A seed phrase is the master recovery key for a self-custody wallet. Coinbase’s own wallet documentation describes it as a 12-word recovery phrase that only the user has access to.

Whoever controls that phrase controls access to the wallet and its funds. Lose it, and access to funds can be lost. Expose it, and funds in the wallet can be drained.

That is where the contradiction becomes hard to miss. Coinbase’s wallet guidance tells users never to share a recovery phrase, says the firm will never ask for it, and adds a separate warning: “Never paste it into any website.”

Yet the Commerce transition guide tells some users to reveal the same phrase as part of an official Coinbase-hosted recovery path.

The company’s explanation is that Commerce wallets are self-custodial, and Coinbase does not have access to the phrase or the funds, which leaves users responsible for recovery before the shutdown.

Security researchers see a phishing template

Nonetheless, this Coinbase demand has rung the alarm bells for many security experts, who are criticizing the platform for the behavior its page teaches users to accept.

Blockchain security firm SlowMist founder Yu Xian said he was puzzled that Coinbase would host a page asking users to enter a mnemonic phrase in plain text for asset recovery and said the practice was so insecure that he first wondered whether the subdomain had been hacked.

The warning sharpened the core criticism around the page: an official brand, an urgent deadline, and a seed-phrase workflow combine into a format attackers regularly mimic.

Meanwhile, SlowMist chief information security officer 23pds wrote on X that there were “two issues” with the flow. First, he said:

“While the link is from the official Coinbase website, directly asking users to transmit their mnemonic phrase to verify assets is extremely foolish.”

Secondly, he noted that the site had a flawed sitemap that could let attackers copy the front end and deploy a near-clone on a lookalike domain, creating a strong phishing lure for users already primed to trust the Coinbase version.

Additionally, blockchain investigator ZachXBT further pressed on that point even more directly. In a post on X, he wrote:

“So basically Coinbase has an official page live threat actors can use to target Coinbase users via seed phrase social engineering if they wanted?”

Their concerns are unsurprising, considering phishing and social engineering scams remain one of the most potent attack vectors against the crypto industry.

Last year, ZachXBT revealed that Coinbase users lose more than $300 million annually due to social engineering scams.