# coinsqquuarelogin.webflow.io — SUSPICIOUS > PhishDestroy identifies coinsqquuarelogin.webflow.io as an active crypto credential theft site impersonating CoinSquare login. ## Summary This domain, coinsqquuarelogin.webflow.io, is being actively used to harvest cryptocurrency exchange credentials under the guise of a CoinSquare login portal. The threat actor has registered a plausible misspelling of the legitimate CoinSquare domain (coinsquare.io) to deceive users into entering their email and password, which are then exfiltrated to the attacker’s infrastructure. The landing page mimics CoinSquare’s login interface, including branding elements and SSL certificate issued by Google Trust Services, to appear legitimate. Once credentials are captured, attackers can bypass two-factor authentication or use the same passwords to access other services, leading to direct financial loss or account takeover in high-value crypto exchanges. The domain is currently hosted on Webflow’s infrastructure but resolves to IP 104.18.36.248, a Cloudflare address commonly abused by phishing campaigns. PhishDestroy’s investigation has confirmed this domain is flagged on two security blocklists (OpenPhish and OISD) and remains undetected on VirusTotal with 0 out of 95 engines flagging it as malicious as of seed 9dc981. The domain was created recently and leverages the Webflow.io subdomain to appear authentic, exploiting the platform’s trusted reputation. Despite having a valid SSL certificate, the mismatch between the domain name and the actual service (crypto login) is a common red flag. The lack of detection on VirusTotal suggests either a newly deployed campaign or one that evades signature-based detection through obfuscation or low-volume targeting. The combination of a recently registered domain, high-risk blocklist presence, and zero AV detections indicates a rapidly evolving threat with potential for significant impact. Users who have visited this site should immediately change their CoinSquare account password and enable two-factor authentication (2FA) if not already active. Do not use the same password across multiple platforms; generate unique, strong passwords for each account. Revoke any sessions or API keys tied to this login and monitor the account for unauthorized transactions or access attempts. Report the incident to CoinSquare support and consider using password manager alerts to detect future credential reuse. If you entered your credentials, enable 2FA immediately and review account activity for anomalies. This domain should be blocked at the network and DNS level to prevent further exposure. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 104.18.36.248 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 2 hits Lists: ["OpenPhish", "OISD"] ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/coinsqquuarelogin.webflow.io - PhishDestroy: https://phishdestroy.io/domain/coinsqquuarelogin.webflow.io/ - LLM endpoint: https://phishdestroy.io/domain/coinsqquuarelogin.webflow.io/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/coinsqquuarelogin.webflow.io/ Last updated: 2026-04-04