# 238747-recovery.com — MALICIOUS

> 238747-recovery.com is a phishing site mimicking Coinbase. Avoid entering credentials and verify URLs carefully to protect your account.

## Summary
PhishDestroy identifies 238747-recovery.com as a medium-risk generic phishing domain designed to impersonate Coinbase’s recovery login page. The domain aims to deceive users into submitting sensitive account information under the guise of legitimate account recovery.

Supporting evidence includes its registration through Name.com, Inc. on March 12, 2026, and its resolution to IP address 216.198.79.65. The site’s page title, “Recovery - Sign In | Coinbase,” reinforces the fraudulent attempt to mimic Coinbase’s user interface. Additionally, the domain appears on two separate security blocklists, and VirusTotal analysis flags it as malicious by 6 out of 95 security vendors. These combined indicators confirm its use in phishing activities.

Currently, 238747-recovery.com is offline, reducing immediate threat exposure. Users encountering this domain should avoid interacting with it or providing any personal information. To mitigate risks, it is recommended to verify URLs before submitting credentials, utilize multi-factor authentication on Coinbase accounts, and report suspicious sites to security providers. Continuous monitoring by PhishDestroy ensures timely updates on this and similar threats.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 404)
- Target brand: Coinbase
- Page title: Recovery - Sign In | Coinbase

## Domain Intelligence
- Registered: 2026-03-12 13:07:01
- Registrar: Name.com, Inc.
- Country: US
- IP: 216.198.79.65
- IP Country: US
- IP City: Walnut
- IP Org: AS16509 Amazon.com, Inc.
- Nameservers: ["ns1.vercel-dns.com", "ns2.vercel-dns.com"]
- SSL Issuer: Let's Encrypt / R12

## Detection Status
- VirusTotal: 6 vendors flagged
  Vendors: ["Fortinet", "G-Data", "Google Safebrowsing", "Lionic", "SOCRadar", "Sophos"]
- Google Safe Browsing: clean
- Blocklists: 2 hits
  Lists: ["PhishDestroy", "MetaMask"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019ce592-516b-704f-baac-e23697992fc1.png
- PhishDestroy: https://phishdestroy.io/domain/238747-recovery.com/
- LLM endpoint: https://phishdestroy.io/domain/238747-recovery.com/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/238747-recovery.com/
Last updated: 2026-03-19