Coinbase Commerce’s seed phrase withdrawal page is drawing fierce criticism from security researchers, who warn it normalizes typing 12-word recovery phrases into a website just days before the March 31 shutdown deadline.

A subdomain page belonging to Coinbase Commerce — the company’s merchant payments product — has drawn sharp criticism from leading blockchain security researchers after it was found to be prompting users to enter their 12-word seed phrases, also known as mnemonic or recovery phrases, directly into a web form in plain text. The controversy erupted on Wednesday and intensified Thursday morning, with the discovery coming at a particularly sensitive moment: Coinbase is winding down Commerce entirely by March 31, 2026, as part of a broader platform consolidation under Coinbase Business — meaning tens of thousands of merchants have a narrow window to withdraw their funds.

The page in question, hosted at withdraw.commerce.coinbase.com/seed-phrase, was referenced in a now-deleted Coinbase Commerce help document that directed users to recover funds by importing their recovery phrases into compatible wallets such as Coinbase Wallet or MetaMask. SlowMist founder Yu Xian (known online as Cos) described the practice as demonstrating an “unbelievable lack of security awareness” from a major industry player, having received multiple user reports about the page. On-chain investigator ZachXBT independently flagged the page, warning that its existence creates a direct attack surface for social engineering campaigns targeting Coinbase users.

A Cloneable Attack Vector on an Official Domain

The concerns go beyond the page itself. SlowMist’s Chief Information Security Officer, known as 23pds, escalated the alarm by pointing out that the page’s sitemap contains structural flaws that make it trivially easy for malicious actors to replicate. Using tools such as ResourcesSaver, attackers can download the front-end code and deploy visually identical phishing sites — particularly dangerous when combined with Coinbase-lookalike domains that could credibly deceive even experienced users.

The fundamental problem is one of normalisation. Every legitimate security protocol in the cryptocurrency industry is built on a single, non-negotiable principle: a seed phrase should never be entered into any website, form, or app under any circumstances — not even an official one. Seed phrases are the master cryptographic keys to a wallet; whoever possesses them owns the funds. By building a recovery workflow that requires users to type their phrase into a browser, Coinbase has — whether intentionally or through oversight — trained users to accept a behaviour that scammers routinely exploit. Coinfomania noted that the tool even suggests copying phrases from Google Drive as an intermediate step, compounding the risk.

ZachXBT’s warning carries particular weight given his track record. In January 2026, he exposed a Coinbase support impersonation scam that resulted in approximately $2 million in stolen crypto — a scheme that relied on users being conditioned to trust Coinbase-branded interfaces. The Commerce seed phrase page represents a ready-made template for a follow-up attack of potentially far greater scale.​

As of Thursday, Coinbase had not publicly responded to the criticism, despite multiple requests for comment. The company has offered alternative withdrawal methods — including a separate commerce withdrawal tool considered safer by researchers — but has not removed or modified the seed phrase page. With twelve days remaining until Commerce is permanently disabled, the pressure on the exchange to act is mounting rapidly. For the crypto industry’s most prominent publicly listed company, the reputational stakes of a mass phishing event triggered by its own migration tooling could scarcely be higher.