Coinbase Tells Users to Follow ‘Foolish’ Steps Scammers Use to Withdraw Funds From Wallets

Coinbase’s latest migration notice forces merchants using its legacy Commerce wallets to expose their 12‑word recovery phrase on a branded web page. While the company frames the step as a necessary self‑custody measure before the March 31, 2026 shutdown, it directly conflicts with its longstanding guidance that seed phrases must never be entered online. This mixed messaging not only confuses users but also provides a ready‑made playbook for attackers who thrive on mimicking official communications, especially when urgency and brand trust are involved.

Security experts from SlowMist and independent investigators have highlighted two core vulnerabilities: the explicit request for the mnemonic and a poorly designed sitemap that could be cloned for phishing sites. By publishing a live interface that accepts seed phrases, Coinbase inadvertently legitimizes a behavior that the crypto community has been taught to avoid. The result is a heightened risk that users will fall for look‑alike domains, potentially leading to massive fund losses similar to the $300 million annual figure reported for Coinbase‑related social‑engineering scams.

The controversy is further inflamed by Coinbase’s breach legacy, including the 2025 data‑theft incident and earlier credential leaks. These incidents have already eroded confidence in the platform’s security posture. Introducing a seed‑phrase entry point at this juncture may accelerate regulatory scrutiny and push users toward more secure custodial solutions. For the broader crypto ecosystem, the episode underscores the delicate balance between user autonomy and the responsibility of exchanges to enforce best‑practice security standards.