Coinbase Subdomain Prompts Users to Enter Seed Phrases

Replace (March 20, 6:30 am UTC): This text has been up to date to add a press release from Coinbase.

Safety researchers raised considerations a couple of Coinbase-associated Commerce web page that appeared to immediate customers to enter pockets restoration phrases, warning that such a movement might normalize conduct generally exploited in phishing scams.

The web page has circulated broadly on social media after being flagged by the founding father of the blockchain safety platform SlowMist, Yu Xian, referred to as Cos.

“I’m actually puzzled why Coinbase would have a web page like this, straight asking customers to enter their plaintext mnemonic phrases for asset restoration,” Yu wrote in an X publish on Wednesday, including: “Such an insecure observe is solely unbelievable.”

Recovery phrases give full management over a self-custody pockets and may by no means be shared with third events, buyer help brokers or untrusted web sites. They’re usually used solely in trusted pockets restoration or import flows.

Coinbase removes the withdrawal software from its web site, explores one other resolution

Coinbase has since confirmed to Cointelegraph that the referenced software was a part of its legacy Commerce product, which is scheduled to be discontinued on March 31, 2026, and has been in sundown mode since March 2025.

“Now we have eliminated the software from our web site, and we’re exploring an up to date resolution for the small variety of Commerce service provider accounts who have been nonetheless utilizing it,” a spokesperson for Coinbase mentioned, including:

“The safety of our clients and the safety of their belongings is our high precedence; all funds stay safe.”

The corporate famous that each one eligible service provider accounts have been within the technique of being migrated to Coinbase Enterprise, its enterprise platform for crypto.

Eliminated Coinbase Commerce movement prompted seed phrase entry

According to blockchain sleuth ZachXBT, the now-removed information outlined an choice for customers to recuperate funds by importing their seed phrase right into a suitable pockets resembling Coinbase Pockets or MetaMask.

It additionally directed customers to a withdrawal software hosted on the identical subdomain that has drawn scrutiny.

The assistance documentation additionally emphasised that Commerce wallets are self-custodial, that means Coinbase doesn’t have entry to customers’ seed phrases and can’t recuperate funds if they’re misplaced.

Associated: OpenClaw devs targeted by phishing scam promising free ‘CLAW’ tokens

In one other information, Coinbase strongly advised customers to by no means paste seed phrases into any web site.

On Tuesday, Coinbase warned that scammers are posing as buyer help over the telephone or on-line to steal login info and verification codes. The corporate mentioned it is going to by no means attain out, directing customers to its official channels on X and Reddit.

Journal: Bitcoin’s ‘narrative vacuum,’ Ethereum now inevitable: Trade Secrets