Coinbase security advice sparks alarm over potential phishing risk

Coinbase is directing some Commerce customers to a seed-phrase restoration circulation forward of a March 31 migration deadline.

The problem sits inside Coinbase’s shutdown plan for legacy Commerce wallets. In its transition information, Coinbase says customers with funds in a Commerce pockets should withdraw them earlier than March 31, 2026, when the Commerce portal and withdrawal instrument will turn out to be inaccessible.

For customers who backed up their pockets to Google Drive, Coinbase says they need to go to the Commerce dashboard, open Settings and Safety, reveal the 12-word seed phrase, and use the withdrawal instrument at withdraw.commerce.coinbase.com.

Coinbase says the method is very necessary for retailers that obtained Bitcoin or different UTXO-based belongings as a result of balances could in any other case be laborious to floor in commonplace wallets.

A seed phrase is the grasp restoration key for a self-custody pockets. Coinbase’s personal pockets documentation describes it as a 12-word restoration phrase that solely the person has entry to.

Whoever controls that phrase controls entry to the pockets and its funds. Lose it, and entry to funds might be misplaced. Expose it, and funds within the pockets might be drained.

That’s the place the contradiction turns into laborious to overlook. Coinbase’s pockets guidance tells customers by no means to share a restoration phrase, says the agency won’t ever ask for it, and provides a separate warning: “By no means paste it into any web site.”

But the Commerce transition information tells some customers to disclose the identical phrase as a part of an official Coinbase-hosted restoration path.

The corporate’s rationalization is that Commerce wallets are self-custodial, and Coinbase doesn’t have entry to the phrase or the funds, which leaves customers answerable for restoration earlier than the shutdown.

Safety researchers see a phishing template

Nonetheless, this Coinbase demand has rung the alarm bells for a lot of safety consultants, who’re criticizing the platform for the conduct its web page teaches customers to simply accept.

Blockchain safety agency SlowMist founder Yu Xian said he was puzzled that Coinbase would host a web page asking customers to enter a mnemonic phrase in plain textual content for asset restoration and stated the follow was so insecure that he first puzzled whether or not the subdomain had been hacked.

The warning sharpened the core criticism across the web page: an official model, an pressing deadline, and a seed-phrase workflow mix right into a format attackers recurrently mimic.

In the meantime, SlowMist chief data safety officer 23pds wrote on X that there have been “two points” with the circulation. First, he said:

“Whereas the hyperlink is from the official Coinbase web site, immediately asking customers to transmit their mnemonic phrase to confirm belongings is extraordinarily silly.”

Secondly, he famous that the positioning had a flawed sitemap that would let attackers copy the entrance finish and deploy a near-clone on a lookalike area, creating a powerful phishing lure for customers already primed to belief the Coinbase model.

Moreover, blockchain investigator ZachXBT additional pressed on that time much more immediately. In a submit on X, he wrote:

“So principally Coinbase has an official web page reside menace actors can use to focus on Coinbase customers by way of seed phrase social engineering in the event that they wished?”

Their issues are unsurprising, contemplating phishing and social engineering scams stay one of the potent assault vectors in opposition to the crypto business.

Final yr, ZachXBT revealed that Coinbase customers lose greater than $300 million yearly on account of social engineering scams.

This captures why the Commerce circulation has triggered such a powerful response. Safety groups have spent years educating customers that any request involving a seed phrase is the beginning of a rip-off.

Nonetheless, a Coinbase-owned web page dealing with the identical phrase might change the visible and behavioral cues customers have been taught to depend on.

Coinbase’s breach historical past hangs over the talk

In the meantime, the safety debate lands tougher as a result of Coinbase is already coping with the aftereffects of previous social-engineering incidents.

In Could 2025, Coinbase reported that cybercriminals bribed a bunch of abroad help brokers to steal buyer information for social-engineering assaults.

The Brian Armstrong-led trade stated the attackers obtained account information for fewer than 1% of month-to-month transacting customers and used it to compile lists of consumers they might contact, pretending to be from the platform.

The corporate stated no non-public keys have been uncovered and pledged to reimburse prospects who have been tricked into sending funds to attackers.

Other than that, the corporate additionally has an earlier breach document.

Coinbase stated in its 2024 annual report that in 2021, third events obtained login credentials and private data for no less than 6,000 prospects and used these particulars to take advantage of a vulnerability within the account restoration course of. The agency stated it reimbursed impacted prospects about $25.1 million.

That historical past raises the stakes round any official workflow that asks customers to deal with a seed phrase on a reside internet web page.

Safety researchers warn that such a branded interface that normalizes seed-phrase entry will additional enhance phishing and impersonation assaults, which stay among the many business’s simplest assault strategies.