Coinbase’s New Tool Sparks Outrage: Are Your Crypto Assets at Risk?

by

Coinbase Commerce Faces Backlash Over ‘Unsafe’ Seed Phrase Tool

Key Highlights

  • Coinbase’s seed phrase page sparks security fears; experts warn users against typing phrases online.
  • Merchants should use the official Commerce withdrawal tool to safely move funds before March 31, 2026.
  • Rising hacker threats, including North Korean attacks, make cautious crypto practices more urgent than ever.

Cybersecurity experts are raising concerns about a new feature from Coinbase. The company’s merchant recovery tool asks users to enter their sensitive seed phrases directly on the withdrawal page, which is considered a dangerous security practice.

The website at ‘withdraw.commerce.coinbase.com/seed-phrase’ helps merchants regain access to older, self-managed wallets as Coinbase Business is launched by March 31, 2026. Coinbase recommends using Google Drive to copy and paste recovery phrases, but security experts warn this is a risky practice.

Security experts immediately identified the page as a risk for scams and hacking. According to Cos, the founder of SlowMist, this practice is “extremely unsafe” because the page asks users to directly input their private recovery phrase – a surprisingly dangerous request.

我很疑惑 Coinbase 为什么会有这样的页面,直接让用户输入明文助记词做资产恢复?如此不安全的行为,匪夷所思…@coinbase 我都差点以为子域名被黑了…cc @im23pds

— Cos(余弦)😶‍🌫️ (@evilcos) March 19, 2026

Security researcher ZachXBT also pointed out that bad actors could use this page to trick people into revealing their seed phrases, leading to scams. This has led to demands for Coinbase to either take down the tool or significantly change how it works right away.

Security risks and user guidance

Coinbase is simplifying how businesses handle payments. It’s combined its Commerce and Coinbase Business platforms, giving merchants two options for receiving funds. For the most secure method, businesses can use the Commerce withdrawal tool, which combines all payments into one transfer.

The company advises merchants, particularly those who accept Bitcoin or other UTXO-based cryptocurrencies, to use the Commerce withdrawal tool before March 31, 2026. Alternatively, users can always access their funds by entering their seed phrase directly into wallets such as Coinbase Wallet or MetaMask.

Security experts warn that entering your secret recovery phrase (seed phrase) online, even on websites that seem legitimate, could expose your funds to theft. A security researcher named Slomist explained that the way some websites are built makes it possible for hackers to create convincing fake copies and trick users.

Broader cybersecurity context

People are increasingly upset with Coinbase’s system for recovering lost crypto wallets, and this frustration is made worse by a sharp rise in complex cyberattacks. Hackers, especially those backed by North Korea, aren’t just using basic phishing scams anymore. They’re now pretending to be IT professionals to get inside cryptocurrency companies and steal funds.

Last August, Coinbase required employees who work with sensitive systems to attend in-person training in the US after identifying a specific security threat. CEO Brian Armstrong directly stated that North Korea is actively trying to steal cryptocurrency.

Past incidents, such as the Base blockchain hack where hackers made off with 55 WETH because of flaws in unverified smart contracts, clearly show the dangers of deploying untested code and mishandling digital assets. Combined with weak withdrawal processes and the evolving methods of attackers, these events highlight the importance of vigilance for anyone holding cryptocurrency.

Coinbase customers should only use the official withdrawal feature and never share their seed phrase online. Until Coinbase improves its system, it’s safer to use other wallets or store your crypto offline to keep your assets secure.

Read More

2026-03-19 09:24