Cointelegraph
ADA$0.2643 1.79%XLM$0.165 1.34%TRX$0.3104 1.03%BCH$468.01 0.88%DOGE$0.09396 0.46%BTC$70,591 0.01%BNB$642.70 0.11%SOL$89.95 0.70%XMR$348.94 1.10%LINK$9.09 0.07%ETH$2,154 0.27%XRP$1.43 0.77%HYPE$39.73 0.60%
Helen Partz
Written by Helen Partz,Staff Writer
Bryan O'Shea
Reviewed by Bryan O'Shea,Staff Editor

Coinbase removes legacy Commerce tool after seed phrase concerns

Researchers raised alarms over a Coinbase-linked Commerce page that prompted wallet recovery phrase entry, which Coinbase said was part of a legacy product now being retired.

Coinbase removes legacy Commerce tool after seed phrase concerns
News

Cointelegraph in your social feed

Subscribe on

Update (March 20, 6:30 am UTC): This article has been updated to add a statement from Coinbase.

Security researchers raised concerns about a Coinbase-associated Commerce page that appeared to prompt users to enter wallet recovery phrases, warning that such a flow could normalize behavior commonly exploited in phishing scams.

The page has circulated widely on social media after being flagged by the founder of the blockchain security platform SlowMist, Yu Xian, known as Cos.

“I’m really puzzled why Coinbase would have a page like this, directly asking users to input their plaintext mnemonic phrases for asset recovery,” Yu wrote in an X post on Wednesday, adding: “Such an insecure practice is simply unbelievable.”

Source: Yu Xian

Recovery phrases give full control over a self-custody wallet and should never be shared with third parties, customer support agents or untrusted websites. They are normally used only in trusted wallet recovery or import flows.

Coinbase removes the withdrawal tool from its website, explores another solution

Coinbase has since confirmed to Cointelegraph that the referenced tool was part of its legacy Commerce product, which is scheduled to be discontinued on March 31, 2026, and has been in sunset mode since March 2025.

“We have removed the tool from our website, and we are exploring an updated solution for the small number of Commerce merchant accounts who were still using it,” a spokesperson for Coinbase said, adding:

“The security of our customers and the protection of their assets is our top priority; all funds remain secure.”

The company noted that all eligible merchant accounts were in the process of being migrated to Coinbase Business, its enterprise platform for crypto.

Removed Coinbase Commerce flow prompted seed phrase entry

According to blockchain sleuth ZachXBT, the now-removed guide outlined an option for users to recover funds by importing their seed phrase into a compatible wallet such as Coinbase Wallet or MetaMask.

It also directed users to a withdrawal tool hosted at the same subdomain that has drawn scrutiny.

Source: Coinbase Commerce

The help documentation also emphasized that Commerce wallets are self-custodial, meaning Coinbase does not have access to users’ seed phrases and cannot recover funds if they are lost.

Related: OpenClaw devs targeted by phishing scam promising free ‘CLAW’ tokens

In another guide, Coinbase strongly advised users to never paste seed phrases into any website.

Source: Coinbase

On Tuesday, Coinbase warned that scammers are posing as customer support over the phone or online to steal login information and verification codes. The company said it will never reach out, directing users to its official channels on X and Reddit.

Magazine: Bitcoin’s ‘narrative vacuum,’ Ethereum now inevitable: Trade Secrets

Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently. Read our Editorial Policy https://cointelegraph.com/editorial-policy