Coinbase Asks Users to Enter Seed Phrases Before March 31

Coinbase is directing Commerce users to enter their 12-word seed phrases into an official subdomain to withdraw funds before the platform shuts down on March 31.

The workflow directly contradicts the company's own wallet documentation, which warns users to never paste seed phrases into any website and states the firm will never ask for them. SlowMist Chief Information Security Officer 23pds wrote on X that directly asking users to transmit their mnemonic phrase to verify assets is extremely foolish. Founder Yu Xian said he was initially puzzled and wondered if the subdomain had been hacked.

Blockchain investigator ZachXBT characterized the official page as a potential tool for threat actors to target users via seed phrase social engineering. His observation carries weight given he revealed last year that Coinbase users lose ₱18 billion ($300 million) annually to social engineering scams. In May 2025, cybercriminals bribed overseas support agents to steal customer data for social engineering attacks, obtaining account data for 1% of monthly transacting users. The May 2025 breach exposed names, addresses, phone numbers, email addresses, last four digits of Social Security numbers, government-issued ID images, account balances, and transaction histories.

Coinbase explained that Commerce wallets are self-custodial and the company does not have access to the phrase or the funds, which leaves users responsible for recovery before the shutdown. Some Commerce users backed up wallets to Google Drive, but the company is still asking for seed phrase entry on its official domain. Users have until March 31, 2026 to withdraw funds before the Commerce portal and withdrawal tool become inaccessible.