# extension-coin-base.pages.dev — MALICIOUS

> extension-coin-base.pages.dev is a high-risk phishing domain impersonating Coinbase. Avoid interaction and ensure your credentials are secure.

## Summary
PhishDestroy identifies extension-coin-base.pages.dev as a high-risk brand impersonation domain targeting Coinbase users. This malicious site was created recently on February 21, 2026, and is designed to deceive users by mimicking the trusted Coinbase brand. The primary threat posed by this domain is social engineering via phishing techniques aimed at harvesting sensitive user credentials and financial information.

Technically, the domain is registered through Cloudflare, Inc. and resolves to IP address 172.66.47.151. It has been flagged on three separate security blocklists, and VirusTotal reports that 13 out of 95 security vendors detect it as malicious. Additionally, Google Safe Browsing categorizes this domain under social engineering threats, confirming its intent to mislead users. The webpage title observed was "Suspected phishing site | Cloudflare," which aligns with the domain's identified purpose.

Currently, extension-coin-base.pages.dev is offline, likely due to takedown actions prompted by its detection. Users should remain vigilant and avoid accessing or interacting with this domain. It is recommended that anyone who has visited the site monitor their accounts for suspicious activity and update their credentials where applicable. Continuing awareness and reporting of such domains are critical to preventing credential theft and financial fraud.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 403)
- Target brand: Coinbase
- Page title: Suspected phishing site | Cloudflare

## Domain Intelligence
- Registered: 2026-02-21 07:01:08
- Registrar: Cloudflare, Inc.
- Country: US
- IP: 172.66.47.151
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: ["courtney.ns.cloudflare.com", "keanu.ns.cloudflare.com"]
- SSL Issuer: Google Trust Services / WE1

## Detection Status
- VirusTotal: 13 vendors flagged
  Vendors: ["ADMINUSLabs", "ChainPatrol", "alphaMountain.ai", "BitDefender", "CyRadar", "ESET", "Fortinet", "G-Data", "Google Safebrowsing", "Lionic", "Sophos", "VIPRE", "Webroot"]
- Google Safe Browsing: FLAGGED
- Blocklists: 3 hits
  Lists: ["PhishDestroy", "MetaMask", "SEAL"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019aa410-5358-704b-9ce5-1c074d3b0765.png
- Cloudflare Radar: https://radar.cloudflare.com/scan/1a48ba17-a641-4a28-81bd-ff5c4bdb7ccd
- PhishDestroy: https://phishdestroy.io/domain/extension-coin-base.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/extension-coin-base.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/extension-coin-base.pages.dev/
Last updated: 2026-03-19