# coinbase-signs.pages.dev — MALICIOUS

> Avoid coinbase-signs.pages.dev, a high-risk phishing domain mimicking Coinbase. Reported on blocklists and now offline for your security.

## Summary
PhishDestroy identifies coinbase-signs.pages.dev as a high-risk brand impersonation domain targeting Coinbase users. This malicious site attempted to deceive victims by mimicking the legitimate cryptocurrency platform in an effort to steal sensitive information. The webpage was flagged with the title "Suspected phishing site | Cloudflare," indicating its fraudulent nature.

The domain was registered on February 21, 2026, via Cloudflare, Inc., and resolved to IP address 172.66.47.87. It appeared on two separate security blocklists, while VirusTotal analyses showed 13 out of 95 security engines detected suspicious activity linked to this domain. All signs point to a coordinated phishing effort leveraging Cloudflare's hosting services to lend a veneer of legitimacy.

Currently, coinbase-signs.pages.dev has been taken offline, removing immediate threat exposure. PhishDestroy strongly advises users to remain vigilant against similar brand impersonation attempts and to verify domain authenticity before submitting credentials or personal data. Ongoing monitoring of such domains is essential to prevent recurring phishing campaigns.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 403)
- Target brand: Coinbase
- Page title: Suspected phishing site | Cloudflare

## Domain Intelligence
- Registered: 2026-02-21 07:01:08
- Registrar: Cloudflare, Inc.
- Country: US
- IP: 172.66.47.87
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: ["margot.ns.cloudflare.com", "rocco.ns.cloudflare.com"]
- SSL Issuer: Google Trust Services / WE1

## Detection Status
- VirusTotal: 13 vendors flagged
  Vendors: ["ADMINUSLabs", "ChainPatrol", "alphaMountain.ai", "BitDefender", "CyRadar", "ESET", "Fortinet", "G-Data", "Kaspersky", "Lionic", "Sophos", "VIPRE", "Webroot"]
- Google Safe Browsing: clean
- Blocklists: 2 hits
  Lists: ["PhishDestroy", "MetaMask"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019cb939-c568-746b-8374-0d402e2dbe55.png
- Cloudflare Radar: https://radar.cloudflare.com/scan/303b4801-ca11-48f6-b264-9e46eb5e6de2
- PhishDestroy: https://phishdestroy.io/domain/coinbase-signs.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/coinbase-signs.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/coinbase-signs.pages.dev/
Last updated: 2026-03-19