# coinbase-started-extnsn.pages.dev — MALICIOUS

> Warning: coinbase-started-extnsn.pages.dev is a high-risk phishing site impersonating Coinbase. Avoid interaction; domain is offline but remains dangerous.

## Summary
PhishDestroy identifies coinbase-started-extnsn.pages.dev as a high-risk brand impersonation domain targeting Coinbase users. Classified under brand_impersonation, the domain was registered on February 21, 2026, and aimed to deceive victims by mimicking Coinbase’s identity, as indicated by its name and fraudulent content. The page title 'Suspected phishing site | Cloudflare' further confirms the phishing intent.

Technical analysis reveals the domain was registered through Cloudflare, Inc., resolving to IP address 172.66.44.144. It appeared on three distinct security blocklists and was flagged by Google Safe Browsing for social engineering attempts. VirusTotal scans identified the domain as malicious by 14 out of 95 security vendors, underscoring its risk. The domain’s infrastructure leveraged Cloudflare’s platform, which is commonly abused for phishing due to its ease of deployment and masking.

Currently, the domain status is offline, having been taken down following detection and reporting. Despite being inaccessible now, the domain’s existence on multiple blocklists and the high detection rate highlight the importance of vigilance. Users are advised to avoid any interaction with similar suspicious domains to prevent credential theft or fraud. PhishDestroy continues monitoring for related threats leveraging the unique seed bb4244 for tracking.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 403)
- Target brand: Coinbase
- Page title: Suspected phishing site | Cloudflare

## Domain Intelligence
- Registered: 2026-02-21 07:01:08
- Registrar: Cloudflare, Inc.
- Country: US
- IP: 172.66.44.144
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: ["norm.ns.cloudflare.com", "monika.ns.cloudflare.com"]
- SSL Issuer: Google Trust Services / WE1

## Detection Status
- VirusTotal: 14 vendors flagged
  Vendors: ["ADMINUSLabs", "ChainPatrol", "alphaMountain.ai", "BitDefender", "Chong Lua Dao", "CyRadar", "ESET", "Fortinet", "G-Data", "Google Safebrowsing", "Lionic", "Sophos", "VIPRE", "Webroot"]
- Google Safe Browsing: FLAGGED
- Blocklists: 3 hits
  Lists: ["PhishDestroy", "MetaMask", "SEAL"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019cd827-c63e-74b9-9acb-5d2d8e9c8971.png
- PhishDestroy: https://phishdestroy.io/domain/coinbase-started-extnsn.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/coinbase-started-extnsn.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/coinbase-started-extnsn.pages.dev/
Last updated: 2026-03-19