# ext-conbasee.framer.ai — SUSPICIOUS > PhishDestroy identifies ext-conbasee.framer.ai as a live Coinbase-brand impersonation phishing page (0/95 VirusTotal detections). Check the full report. ## Summary PhishDestroy identifies ext-conbasee.framer.ai as an active Coinbase-brand impersonation phishing campaign under investigation, posing as a fraudulent 'Coinbase Extension – Secure Web3 Wallet' web page. The domain’s low detection rate and deliberate mimicry of a major cryptocurrency brand indicate a high-risk attempt to harvest user credentials and Web3 wallet access. This threat is not merely generic phishing—it is a targeted brand impersonation attack designed to exploit trust in Coinbase’s name and deceive users into installing malicious browser extensions or surrendering sensitive wallet recovery phrases. The risk level remains under investigation due to evolving infrastructure, but current indicators strongly suggest malicious intent and potential for widespread compromise. This domain was flagged by PhishDestroy’s seed c6bdef with the following technical indicators: it resolves to IP address 31.43.161.6, hosts a Let’s Encrypt SSL certificate, and presents a page titled 'Coinbase Extension – Secure Web3 Wallet' on framer.ai’s subdomain platform. The domain currently shows 0/95 detections on VirusTotal, indicating no AV or security vendor flagging as of the latest scan. While registrar and creation date are not provided in open sources, the use of framer.ai’s platform and the immediate availability of the malicious page suggest rapid deployment for phishing purposes. It is not currently listed on major blocklists such as PhishTank, OpenPhish, or Google Safe Browsing, and WHOIS trust scores remain neutral due to the domain’s recent appearance. To mitigate exposure to this specific threat, users must avoid accessing ext-conbasee.framer.ai or any framer.ai subdomain claiming to offer 'Coinbase Extensions' or 'Web3 Wallets.' Only download cryptocurrency-related software and browser extensions directly from the official Coinbase website (coinbase.com) or verified distribution points such as official app stores or GitHub under Coinbase’s verified account. Enable multi-factor authentication (MFA) on all crypto accounts and use hardware wallets for high-value assets. Security teams should block the IP 31.43.161.6 and monitor DNS for similar Coinbase-branded impersonations. Report any interactions with this domain to Coinbase’s abuse team and your internal security operations center. Always verify URLs via official sources before entering credentials or downloading software. ## Threat Details - Verdict: SUSPICIOUS - Site status: alive (HTTP ?) - Target brand: Coinbase - Page title: Coinbase Extension – Secure Web3 Wallet ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 31.43.161.6 ## Detection Status - VirusTotal: 0 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/c18259c7-e8cd-415d-9d24-f8ed1cbb3f3d - PhishDestroy: https://phishdestroy.io/domain/ext-conbasee.framer.ai/ - LLM endpoint: https://phishdestroy.io/domain/ext-conbasee.framer.ai/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/ext-conbasee.framer.ai/ Last updated: 2026-04-11