John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
There’s one rule in crypto with no exceptions: you never type your seed phrase into a website. Not a recovery tool. Not an official migration page. Nowhere. Never.
Coinbase apparently didn’t get the memo.
Coinbase Commerce is shutting down March 31. Its withdrawal tool asks users to enter their 12-word seed phrase directly into a web form. Security researchers – including SlowMist CISO 23pds and on-chain analyst ZachXBT – noticed immediately. The reaction from the security community was not polite.
Why This Is Dangerous
Your seed phrase is the master key to your wallet. Whoever has it owns everything in it, with no appeals process and no way to get it back.
Web forms can be cloned. Right now, attackers can build a site that looks identical to Coinbase’s withdrawal tool and target the exact users rushing to beat a March 31 deadline. The deadline creates urgency. Urgency makes people skip checks. Skipping checks with seed phrases ends badly.
One headline put it bluntly: “Coinbase’s exit plan teaches scammers how to steal.”
What To Do Instead
If you have funds in Coinbase Commerce:
Don’t use the seed phrase web form. Contact Coinbase support directly and ask about alternatives. If there’s a way to withdraw without entering your seed phrase online, use that method.
If you absolutely must use a recovery phrase, do it with a hardware wallet or dedicated offline tool – not a browser.
Watch for phishing. Cloned withdrawal pages will appear in search results, emails, and social media. The URL should be coinbase.com. Anything else, close the tab.
Don’t wait until March 30. Urgency is how people get phished.
The deadline is real. The security risk is also real. Neither cancels the other out. Take your time.
What you need to know about the Coinbase Commerce shutdown and seed phrase risks before March 31.