A controversial feature on Coinbase Commerce is raising red flags across the crypto security community—just days before the platform is set to shut down on March 31, 2026.
At the center of the issue is a recovery page hosted on a Coinbase Commerce subdomain that asks users to enter their 12-word seed phrase directly into a plain-text web form. For many in the industry, that’s a major problem.
Why Experts Are Concerned
Security researchers say this approach goes against one of crypto’s most basic safety rules: never enter your seed phrase online.
The page, located at withdraw.commerce.coinbase.com/seed-phrase, was reportedly linked in a now-deleted help guide. It instructed merchants to recover their funds by importing their recovery phrases into wallets like Coinbase Wallet or MetaMask.
However, experts argue that asking users to type sensitive recovery phrases into a browser—even on an official website—sets a dangerous precedent.
Yu Xian, founder of blockchain security firm SlowMist, called the move an “unbelievable lack of security awareness.” Meanwhile, on-chain investigator ZachXBT warned that the page could easily become a tool for phishing attacks.
A Perfect Setup for Phishing
The risks don’t stop at the page itself. According to SlowMist’s CISO, known as 23pds, the page’s structure can be easily copied by attackers. Using simple tools, scammers could clone the entire interface and host it on fake domains that look almost identical to Coinbase.
That’s where things get dangerous.
Once users become familiar with entering seed phrases into a Coinbase-branded page, they may be more likely to trust fake versions—giving hackers full access to their wallets. In crypto, a seed phrase is essentially the master key. Anyone who has it controls the funds.
Timing Makes It Worse
The controversy comes at a critical moment. Coinbase is shutting down its Commerce platform and moving services under Coinbase Business. This leaves thousands of merchants with limited time to withdraw their funds before the March 31 deadline.
Critics say this urgency could push users into risky behavior, especially if they feel pressured to act quickly.
The situation also echoes past incidents. Earlier in January 2026, ZachXBT uncovered a Coinbase impersonation scam that resulted in around $2 million in losses. That attack relied on users trusting Coinbase-like interfaces—exactly the kind of behavior this new page could reinforce.
No Official Response Yet
As of now, Coinbase has not publicly addressed the criticism. While the company has provided alternative withdrawal methods—reportedly safer according to researchers—the seed phrase page remains active.
With less than two weeks left before the shutdown, pressure is mounting. For one of the world’s largest publicly listed crypto companies, the stakes are high. A large-scale phishing incident tied to its own tools could have serious consequences—not just for users, but for trust in the platform itself.
Also Read: Bank of Canada Sets Tough Stablecoin Rules Ahead of 2026 Framework
DOL Eyes Crypto in 401(k)s, Sparking Heated Debate