Coinbase page requested crypto wallet key
A page on the Coinbase Commerce subdomain withdraw.commerce.coinbase.com/seed-phrase asked users to provide their 12-word recovery phrase in a standard text field – in plain text, directly in the browser. The purpose was to help merchants withdraw funds during the phasing out of the Coinbase Commerce product, according to information reported by CryptoPotato.
The problem: a seed phrase is the absolute master key to a crypto wallet. Whoever possesses the phrase has full control over all funds associated with the wallet.
Security experts reacted strongly
Blockchain investigator ZachXBT and SlowMist founder Yu Xian (known as Cos), as well as SlowMist's Head of Security 23pds, all spoke out publicly against the page. The criticism was twofold.
Firstly, the researchers believed that the page directly contradicted Coinbase's own security guidelines, which explicitly warn users against sharing or pasting the recovery phrase into any website – and emphasize that Coinbase will never ask for it.
Secondly, ZachXBT pointed out, according to research notes, that the page served as a ready-made template for social engineering: scammers could easily clone it and use it on lookalike domains to trick users. The researchers also highlighted that the page lacked a correct sitemap, which further lowered the barrier to creating credible copies.
A seed phrase is the master key to your wallet – anyone asking you to type it into a website is practically asking for full access to your funds.
Time pressure worsened the situation
The controversy arose during a particularly vulnerable period. Tens of thousands of Coinbase Commerce merchants have only until March 31, 2026, to migrate their funds to Coinbase Business. The tight timeframe could make users more inclined to act quickly – and thus less critical of what they are actually doing with sensitive information.
Coinbase removed the page and apologizes
Initially, Coinbase did not respond to media inquiries. However, the company confirmed to Cointelegraph that the tool in question belonged to the older Commerce product and was removed on March 20, 2026.
“We have removed the tool from our website, and we are now investigating an updated solution for the small number of Commerce merchant accounts that were still using it,” a Coinbase spokesperson stated, according to Cointelegraph. The company added that the security of customers and their funds is the highest priority, and all funds remain secure.
What should users do now?
If you are a Coinbase Commerce merchant and have not yet migrated your funds, the deadline is March 31, 2026. Security experts generally recommend never entering your seed phrase on any website, regardless of whether the page appears official. Official services from reputable entities will, in principle, never ask for this.
The case illustrates that even large, established players can introduce functionality that violates basic security rules – and underscores the value of an active security community that dares to speak up.
