Key Highlights
- Coinbase’s seed phrase page sparks security fears; experts warn users against typing phrases online.
- Merchants should use the official Commerce withdrawal tool to safely move funds before March 31, 2026.
- Rising hacker threats, including North Korean attacks, make cautious crypto practices more urgent than ever.
Coinbase is facing criticism from the cybersecurity community following the launch of its new merchant recovery tool. The controversy stems from the tool’s requirement that users enter their seed phrases on the Commerce withdrawal page—an approach widely viewed as a significant security risk.
The page at ‘withdraw.commerce.coinbase.com/seed-phrase’ allows merchants to recover legacy self-custodial wallets during the platform’s migration to Coinbase Business by March 31, 2026. Coinbase suggests merchants can sign into Google Drive to copy and paste their mnemonic phrases, a practice cybersecurity experts call dangerously unsafe.
Experts quickly flagged the page as a potential vector for social engineering attacks. SlowMist Founder Cos described the behavior as “extremely unsafe,” stating the page “directly asks users to enter their plaintext mnemonic phrase for asset recovery. This is truly baffling.”
Similarly, pseudonymous investigator ZachXBT highlighted that threat actors could exploit the page to target users via seed phrase scams. The situation has prompted calls for Coinbase to remove or revise the tool immediately.
Security risks and user guidance
Coinbase is combining its Commerce platform with Coinbase Business, and merchants now have two ways to move their funds. The safer choice is the Commerce withdrawal tool, which bundles payments into a single transfer.
“For many merchants, especially those receiving Bitcoin or other UTXO-based assets, we highly recommend using the Commerce withdrawal tool before March 31, 2026,” the company said. The other option lets users enter their seed phrases directly into wallets like Coinbase Wallet or MetaMask.
Experts caution that typing seed phrases online—even on official sites—can put funds at risk. Slomist’s 23pds pointed out that the page’s structure could let attackers copy it and trick users with fake sites.
Broader cybersecurity context
The frustration over Coinbase’s seed phrase portal is compounded by a dramatic escalation in sophisticated cyber threats. State-sponsored hackers, particularly from North Korea (DPRK), have evolved beyond simple phishing, increasingly posing as remote IT developers to infiltrate crypto companies from the inside.
This exact threat vector forced Coinbase to mandate in-person US-based training for employees handling sensitive systems last year in August, with CEO Brian Armstrong bluntly warning, “DPRK is very interested in stealing crypto.”
Previous cases, like the Base blockchain hack in which 55 WETH was stolen due to unverified smart contracts, have also demonstrated the risks of untested smart contracts and poor management of assets. Together with the insecure withdrawal systems, the changing tactics of hackers underscore the need for caution among cryptocurrency holders.
Coinbase users should stick to the official withdrawal tool and avoid typing their seed phrases online. Until the platform fixes the process, using third-party wallets or keeping funds in local, secure storage is a safer way to protect digital assets.
Also Read: Upbit Hacker Moves $16K in RAY Token After Weeks of Silence
