Crypto users are told from day one to never enter a seed phrase into a website. Then an official Coinbase migration flow appeared to do exactly that.
Coinbase is facing criticism after an official migration flow for some legacy Commerce users appeared to instruct them to reveal a 12-word seed phrase and use it in a Coinbase-hosted withdrawal process ahead of a March 31, 2026 deadline. According to CryptoSlate’s report, the flow was tied to Coinbase’s shutdown plan for legacy Commerce wallets, with users warned that the Commerce portal and withdrawal tool would become inaccessible after that date.
That would be controversial on its own.
What makes it much worse is that it appears to clash directly with Coinbase’s own long-running security messaging.
Coinbase’s own wallet-related guidance has repeatedly told users that seed phrases are the master key to a self-custody wallet and should never be shared. In one Coinbase anti-scam post, the company says plainly that Coinbase will never ask for or provide anyone with a seed phrase, and warns that anyone with the seed phrase to a wallet can steal everything in it.
That is why the backlash landed fast.
CryptoSlate reported that blockchain security figures including SlowMist founder Yu Xian and on-chain investigator ZachXBT publicly criticized the flow, arguing that an official Coinbase-branded page combined with an urgent deadline and a seed-phrase workflow creates exactly the kind of pattern attackers love to imitate. One cited warning called the practice “extremely foolish,” while ZachXBT framed it as a ready-made social-engineering template for threat actors.
The broader problem is not just whether Coinbase technically controlled the page or whether the recovery use case had a narrow justification.
It is that security education depends on consistency. Coinbase’s own fraud-prevention material warns users to be highly suspicious of pressure, urgency, impersonation, and suspicious links, including messages telling them to act immediately because an account is compromised. When a major exchange appears to normalize a seed-phrase workflow on a live website during a deadline-driven migration, it risks blurring the exact boundary users are supposed to treat as sacred.
There is a nuance here.
Coinbase Help documentation does describe cases where users may import a recovery phrase into another self-custody wallet in order to access assets on unsupported networks. In other words, recovery phrase use is not inherently illegitimate in self-custody contexts. But that is very different from training users to accept a branded web flow that resembles the same social-engineering pattern used in phishing attacks.
That distinction matters because phishing has already been a major problem for Coinbase users. CryptoSlate notes that ZachXBT previously estimated Coinbase users lose hundreds of millions of dollars annually to social engineering scams, and the report also points back to Coinbase’s disclosed history of account-recovery abuse, including a 2021 incident that affected at least 6,000 customers and led to about $25.1 million in reimbursements, according to Coinbase’s 2024 annual report as quoted by CryptoSlate.
So the real issue is bigger than one migration page.
Even if Coinbase believed it was offering a practical recovery path for stranded Commerce users, the move appears to undercut one of the most basic security lessons in crypto: never get comfortable entering your seed phrase because a website looks official. In a market already flooded with fake support agents, cloned domains, and urgent migration scams, that is not a small mistake. It is the kind of mixed signal that can keep paying dividends for scammers long after the original migration is over.
For users, the takeaway is simple.
A real recovery process may sometimes require importing a recovery phrase into a trusted wallet app you intentionally chose. But any workflow that conditions people to type or paste that phrase into a web page, especially under deadline pressure, is playing with one of the most dangerous habits in crypto.
That is why this story matters.
It is not just about whether Coinbase had a reason. It is about whether one of the industry’s biggest brands just weakened the rule users need most.
