# coinbase-sync.pages.dev — MALICIOUS

> coinbase-sync.pages.dev impersonates Coinbase in a high-risk phishing scam. Stay vigilant and avoid this offline fraudulent domain.

## Summary
PhishDestroy identifies coinbase-sync.pages.dev as a high-risk phishing domain designed to impersonate the cryptocurrency platform Coinbase. This brand impersonation attempt poses significant danger to users by potentially stealing sensitive login credentials and financial information, emphasizing the importance of awareness and caution.

The domain was registered recently on February 21, 2026, through Cloudflare, Inc., and resolved to the IP address 172.66.47.52. It appeared on three security blocklists and was flagged by 13 out of 95 security vendors on VirusTotal. The page title indicated a suspected phishing site hosted by Cloudflare. Currently, the domain is offline, reducing the immediate threat but requiring continued monitoring.

Users are advised to remain vigilant when interacting with emails or links claiming to be from Coinbase, especially those directing to coinbase-sync.pages.dev or similar suspicious domains. Always verify URLs carefully before entering credentials and report any suspicious activity to official Coinbase support. Employ strong security practices and updated antivirus solutions to mitigate risks associated with phishing campaigns.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 403)
- Target brand: Coinbase
- Page title: Suspected phishing site | Cloudflare

## Domain Intelligence
- Registered: 2026-02-21 07:01:08
- Registrar: Cloudflare, Inc.
- Country: US
- IP: 172.66.47.52
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: ["ishaan.ns.cloudflare.com", "sharon.ns.cloudflare.com"]
- SSL Issuer: Google Trust Services / WE1

## Detection Status
- VirusTotal: 13 vendors flagged
  Vendors: ["ADMINUSLabs", "ChainPatrol", "alphaMountain.ai", "BitDefender", "CyRadar", "ESET", "Fortinet", "G-Data", "Kaspersky", "Lionic", "Sophos", "VIPRE", "Webroot"]
- Google Safe Browsing: clean
- Blocklists: 3 hits
  Lists: ["PhishDestroy", "MetaMask", "SEAL"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019c9406-7483-7759-a1be-4fd58ed6c6d5.png
- Cloudflare Radar: https://radar.cloudflare.com/scan/f71f9665-3f9d-44eb-ae91-d48a0f7228d8
- PhishDestroy: https://phishdestroy.io/domain/coinbase-sync.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/coinbase-sync.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/coinbase-sync.pages.dev/
Last updated: 2026-03-19