# base-extension-coinbase.pages.dev — MALICIOUS

> base-extension-coinbase.pages.dev is a high-risk phishing site mimicking Coinbase. Avoid interaction and verify before sharing info.

## Summary
PhishDestroy identifies base-extension-coinbase.pages.dev as a high-risk phishing domain impersonating the Coinbase brand. The domain aims to deceive users into revealing sensitive information by masquerading as a trusted cryptocurrency platform. Such brand impersonation threats are critical because they can lead to financial loss and compromised personal data.

This domain was created recently on February 21, 2026, and registered via Cloudflare, Inc. It resolves to IP address 172.66.47.83 and has been flagged by Google Safe Browsing for social engineering. Additionally, it appears on multiple security blocklists, and 14 out of 95 VirusTotal security vendors have classified it as malicious. The page title encountered was "Suspected phishing site | Cloudflare." Importantly, the domain has now been taken offline.

Users should avoid visiting or interacting with base-extension-coinbase.pages.dev. If exposed, refrain from providing any credentials or financial information. To stay safe, always verify URLs carefully and rely on official Coinbase channels. Use security tools like PhishDestroy to identify and block similar phishing attempts in the future.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 403)
- Target brand: Coinbase
- Page title: Suspected phishing site | Cloudflare

## Domain Intelligence
- Registered: 2026-02-21 07:01:08
- Registrar: Cloudflare, Inc.
- Country: US
- IP: 172.66.47.83
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: ["chin.ns.cloudflare.com", "lewis.ns.cloudflare.com"]
- SSL Issuer: Google Trust Services / WE1

## Detection Status
- VirusTotal: 14 vendors flagged
  Vendors: ["ADMINUSLabs", "ChainPatrol", "alphaMountain.ai", "BitDefender", "CyRadar", "ESET", "Fortinet", "G-Data", "Google Safebrowsing", "Kaspersky", "Lionic", "Sophos", "VIPRE", "Webroot"]
- Google Safe Browsing: FLAGGED
- Blocklists: 3 hits
  Lists: ["PhishDestroy", "MetaMask", "SEAL"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019cecb0-6284-7419-88db-d60ab8832d30.png
- Cloudflare Radar: https://radar.cloudflare.com/scan/5ae2887f-62bc-4101-b817-d489633b250f
- PhishDestroy: https://phishdestroy.io/domain/base-extension-coinbase.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/base-extension-coinbase.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/base-extension-coinbase.pages.dev/
Last updated: 2026-03-19