Overview
- An official subdomain at withdraw.commerce.coinbase.com/seed-phrase asks merchants to enter 12-word recovery phrases in plain text to retrieve funds.
- Security researchers SlowMist’s founder Yu Xian and CISO 23pds, along with on-chain investigator ZachXBT, criticize the design for teaching users to ignore standard seed-phrase safety rules.
- SlowMist’s 23pds says a flawed sitemap allows the front end to be copied with tools like ResourcesSaver, enabling convincing Coinbase-lookalike phishing sites.
- Coinbase’s transition guide directs some merchants—particularly those with UTXO assets or Google Drive backups—to reveal the phrase and use the withdrawal tool, despite wallet guidance to never paste a phrase into any website.
- As of Thursday the page remains live without a public response from Coinbase, alternative withdrawal methods exist, and the March 31 shutdown deadline is close following a January impersonation scam that stole about $2 million.