SlowMist Founder Questions Coinbase Page Requesting Plaintext Seed Phrase
Coinbase’s legacy Commerce wallet shutdown now includes a March 31, 2026 withdrawal deadline, while researchers warn the official recovery flow could normalize seed-phrase entry and strengthen phishing tactics.
Criticism of Coinbase Commerce’s recovery flow expanded as details emerged about its migration plan for legacy Commerce wallets. Coinbase says users with funds in Commerce wallets must withdraw them before March 31, 2026, when the Commerce portal and withdrawal tool will become inaccessible, and some users who backed up wallets to Google Drive are directed to reveal a 12-word seed phrase and use Coinbase’s withdrawal tool. Researchers from SlowMist and blockchain investigator ZachXBT said the official workflow mirrors tactics commonly used in scams, especially because Coinbase’s own wallet guidance warns users never to share a recovery phrase or paste it into any website. The concerns are amplified by Coinbase’s history of social-engineering incidents, including a May 2025 disclosure that bribed overseas support agents stole customer data used in scams and a previously disclosed 2021 breach affecting at least 6,000 customers.
- Seed phrase: A 12-word or similar recovery phrase used to restore a self-custody wallet; anyone with the phrase can usually control the wallet’s funds.
- UTXO-based assets: Cryptocurrencies such as Bitcoin that use the unspent transaction output model, where wallet balances are derived from spendable outputs rather than account balances.
- Phishing: A scam technique that impersonates a trusted brand or service to trick users into revealing sensitive information or sending funds.