Coinbase Commerce Seed Phrase Page Raises Security Red Flags

Security researchers are raising serious concerns about an active Coinbase Commerce page that prompts users to enter their 12-word seed phrase in plain text. The alarming discovery has sparked widespread debate within the crypto community about user safety and platform responsibility.

SlowMist founder Evilcos was among the first to publicly flag the issue, expressing disbelief that a reputable platform like Coinbase would operate a page requesting mnemonic phrases so openly. He admitted the practice was so unusual that he initially suspected the subdomain had been compromised by malicious actors.

Prominent blockchain investigator ZachXBT echoed those concerns, pointing out that the live page could essentially serve as a ready-made tool for cybercriminals looking to exploit Coinbase users through seed phrase social engineering. Social engineering attacks rely on psychological manipulation — exploiting trust, urgency, or authority — rather than direct technical intrusions to steal sensitive user data.

The controversy stems from Coinbase's ongoing merger of Commerce with Coinbase Business, which carries a March 31, 2026 deadline. To help users withdraw their funds, Coinbase introduced two options. The first and recommended method is a dedicated Commerce withdrawal tool that automatically consolidates funds across a user's Commerce addresses into a single transaction. The second option allows users to manually import their seed phrase into a compatible wallet such as Coinbase Wallet or MetaMask.

Coinbase itself has emphasized the withdrawal tool as the safer, preferred route — particularly for merchants holding Bitcoin or other UTXO-based assets. Despite this, the mere existence of an official page soliciting seed phrases has drawn heavy criticism from security professionals who warn it could be weaponized in phishing campaigns.

Coinbase has yet to publicly address the security backlash surrounding the page. Users are strongly advised to utilize the official withdrawal tool and remain vigilant against any unsolicited requests for their seed phrases.