TL;DR:
This Thursday, alarms were raised across the crypto market after blockchain security experts identified an official Coinbase page prompting users to enter their 12-word recovery phrases. This practice, described as “incredibly insecure” by SlowMist founder Yu Xian, could normalize behaviors that attackers commonly exploit in phishing campaigns and asset theft.
我很疑惑 Coinbase 为什么会有这样的页面,直接让用户输入明文助记词做资产恢复?如此不安全的行为,匪夷所思…@coinbase 我都差点以为子域名被黑了…cc @im23pds https://t.co/NsBd223xWY pic.twitter.com/oBrp5UGQ8U
— Cos(余弦)(@evilcos) March 19, 2026
The controversy arises as the platform migrates its Commerce services to Coinbase Business. Technical reports indicate that the withdrawal flow requires users to paste their mnemonic keys into a web form to recover funds from self-custody wallets.
This methodology contradicts all standard security recommendations, which strictly prohibit sharing these keys with third parties or websites, regardless of their apparent legitimacy.
The page in question was reported in official help guides which, according to recent reports, have already begun to be removed or modified. ZachXBT pointed out that these types of tools provide an infrastructure that can be easily replicated by malicious actors to scam Coinbase customers through social engineering tactics, simulating “official” recovery processes.
For its part, Coinbase has not yet issued a formal public statement, only reporting that they are “looking into” the situation. Nonetheless, company documentation continues to emphasize that Commerce wallets are self-custodial and that the user is solely responsible for the security of their funds—increasing confusion over why an online phrase entry system was implemented in the first place.
In summary, the crypto community strongly recommends that users avoid any tool requesting seed phrases outside of trusted wallet interfaces. With the legacy Commerce services set to close at the end of this month, extreme caution is vital to prevent asset draining through unorthodox recovery methods.
