# coinbase.jiashuohongxin.com — SUSPICIOUS > coinbase.jiashuohongxin.com is a fake Coinbase login page pushing a crypto drainer kit. Domain created 2025-09-20, VirusTotal 0/95. ## Summary PhishDestroy identifies coinbase.jiashuohongxin.com as an actively impersonating Coinbase domain designed to harvest user credentials and deploy crypto drainer malware. The infrastructure mimics Coinbase’s branding to deceive visitors into entering private keys or seed phrases, then drains connected wallets. This domain is part of a broader campaign targeting cryptocurrency users via spoofed login portals hosted on subdomains of unrelated domains (jiashuohongxin.com). No evidence of a custom drainer kit has been identified in sandbox analysis at this time, suggesting the use of generic JavaScript-based wallet drainers or clipboard hijackers. The threat actor leverages urgency and fear (e.g., fake account suspension alerts) to pressure users into submitting sensitive information. This is a high-risk impersonation campaign active as of September 2025. This domain was flagged during routine monitoring and shows the following technical indicators: VirusTotal detection score of 0/95 engines, indicating a newly deployed or zero-day threat with no AV signatures. It was registered on September 20, 2025 through Cloud Yuqu LLC, and resolves to IP address 154.89.71.216 in Shenzhen, China. The domain holds a valid Let's Encrypt SSL certificate (CN: coinbase.jiashuohongxin.com), which enhances its legitimacy appearance. As of today, it is not listed on Google Safe Browsing (GSB) and has zero detections on PhishTank, OpenPhish, or URLVoid blocklists. The domain is hosted on shared infrastructure and lacks any established reputation, making it difficult to detect via traditional blacklisting alone. The domain remains active and continues to resolve, indicating ongoing malicious activity. PhishDestroy has escalated this case to the registrar abuse team and is coordinating with threat intelligence partners for domain takedown. Users are strongly advised not to interact with this site or enter any credentials. The current risk level is assessed as HIGH due to the combination of zero detection, recent registration, valid SSL, and direct brand impersonation. This infrastructure may be used to deliver additional malware or be repurposed for similar attacks. PhishDestroy continues to monitor for changes in payload or infrastructure and will update alerts accordingly. Users should verify any Coinbase-related links using PhishDestroy’s URL checker before clicking. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Target brand: Coinbase ## Domain Intelligence - Registered: 2025-09-20 05:39:09 - Registrar: Cloud Yuqu LLC - IP: 154.89.71.216 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/coinbase.jiashuohongxin.com - PhishDestroy: https://phishdestroy.io/domain/coinbase.jiashuohongxin.com/ - LLM endpoint: https://phishdestroy.io/domain/coinbase.jiashuohongxin.com/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/coinbase.jiashuohongxin.com/ Last updated: 2026-04-04