# en-extension-coinbase.pages.dev — MALICIOUS

> en-extension-coinbase.pages.dev was a phishing domain impersonating Coinbase. Now offline, it was flagged for social engineering risks.

## Summary
PhishDestroy identifies en-extension-coinbase.pages.dev as a high-risk phishing domain impersonating the well-known cryptocurrency platform Coinbase. This type of threat is critical because it aims to deceive users into divulging sensitive financial credentials, potentially leading to substantial monetary loss and compromised personal data. The impersonation of trusted brands like Coinbase significantly increases the likelihood of successful attacks due to user trust.

en-extension-coinbase.pages.dev resolved to IP address 172.66.44.73 and was registered through Cloudflare, Inc., a common service for both legitimate and malicious actors. The domain was created recently on February 21, 2026, indicating a fresh attempt to exploit users. It was flagged by Google Safe Browsing for social engineering and appeared on three security blocklists. VirusTotal reported that 13 out of 95 security vendors identified the domain as malicious. Importantly, the domain has since been taken offline, limiting further risk.

Users should remain vigilant against unsolicited links purporting to be from Coinbase or other financial services. It is crucial to verify URLs carefully and avoid entering credentials on suspicious sites. Employing multi-factor authentication on cryptocurrency accounts and using trusted official applications or websites can mitigate the risk of phishing. If users suspect they have interacted with this domain, they should monitor their accounts for unauthorized activity and consider changing passwords immediately.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 403)
- Target brand: Coinbase
- Page title: Suspected phishing site | Cloudflare

## Domain Intelligence
- Registered: 2026-02-21 07:01:08
- Registrar: Cloudflare, Inc.
- Country: US
- IP: 172.66.44.73
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: ["tiffany.ns.cloudflare.com", "milan.ns.cloudflare.com"]
- SSL Issuer: Google Trust Services / WE1

## Detection Status
- VirusTotal: 13 vendors flagged
  Vendors: ["ADMINUSLabs", "ChainPatrol", "alphaMountain.ai", "BitDefender", "CyRadar", "ESET", "Fortinet", "G-Data", "Google Safebrowsing", "Kaspersky", "Lionic", "Sophos", "VIPRE"]
- Google Safe Browsing: FLAGGED
- Blocklists: 3 hits
  Lists: ["PhishDestroy", "MetaMask", "SEAL"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019c7454-92aa-73b9-9587-fc28ca84b3d2.png
- Cloudflare Radar: https://radar.cloudflare.com/scan/4a87bd08-9d27-435a-a5d0-33f4b2a43428
- PhishDestroy: https://phishdestroy.io/domain/en-extension-coinbase.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/en-extension-coinbase.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/en-extension-coinbase.pages.dev/
Last updated: 2026-03-19