# extension-chroma-matamask.pages.dev — MALICIOUS

> Warning: extension-chroma-matamask.pages.dev is flagged for phishing. Avoid interaction; site is offline but was highly risky.

## Summary
PhishDestroy identifies extension-chroma-matamask.pages.dev as a high-risk phishing domain designed to deceive users by mimicking legitimate crypto wallet services. This domain exhibited social engineering tactics targeting individuals to steal sensitive credentials or funds. The threat was classified as generic phishing due to its broad approach to luring victims without a specific brand impersonation.

The domain was registered on February 21, 2026, via Cloudflare, Inc., a common registrar exploited for anonymity and rapid infrastructure deployment. Google Safe Browsing flagged it for social engineering, while VirusTotal detected suspicious activity with 13 out of 95 security vendors confirming malicious intent. Additionally, this domain appeared on three separate security blocklists, further confirming its nefarious use. Hosting on a Cloudflare subpage (pages.dev) allowed threat actors to leverage a trusted content delivery network, increasing the likelihood of user trust.

Currently, extension-chroma-matamask.pages.dev is taken offline, reducing immediate risk to users. However, due to its recent creation date and high-risk profile, users and organizations should remain vigilant. It is recommended to avoid clicking links related to this domain, implement robust email filtering, and educate end-users about phishing tactics. Continuous monitoring of similar Cloudflare-hosted phishing setups is advised to prevent future attacks.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 403)
- Target brand: MetaMask
- Page title: Suspected phishing site | Cloudflare

## Domain Intelligence
- Registered: 2026-02-21 07:01:08
- Registrar: Cloudflare, Inc.
- Country: US
- IP: 172.66.44.103
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: ["noor.ns.cloudflare.com", "leif.ns.cloudflare.com"]
- SSL Issuer: Google Trust Services / WE1

## Detection Status
- VirusTotal: 13 vendors flagged
  Vendors: ["ADMINUSLabs", "ChainPatrol", "alphaMountain.ai", "BitDefender", "CyRadar", "Forcepoint ThreatSeeker", "Fortinet", "G-Data", "Google Safebrowsing", "Kaspersky", "Lionic", "Sophos", "Webroot"]
- Google Safe Browsing: FLAGGED
- Blocklists: 3 hits
  Lists: ["PhishDestroy", "MetaMask", "SEAL"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019a6f58-ca3b-752c-bff4-852d3f37320e.png
- Cloudflare Radar: https://radar.cloudflare.com/scan/2ea276e3-bbed-43e7-9ac5-64738f4de21d
- PhishDestroy: https://phishdestroy.io/domain/extension-chroma-matamask.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/extension-chroma-matamask.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/extension-chroma-matamask.pages.dev/
Last updated: 2026-03-19