# get-coinbase-extnsion.pages.dev — MALICIOUS

> Discover details on get-coinbase-extnsion.pages.dev, a phishing domain impersonating Coinbase. Learn why this site poses a high risk and is offline now.

## Summary
PhishDestroy identifies get-coinbase-extnsion.pages.dev as a high-risk phishing domain targeting Coinbase users. This campaign attempts brand impersonation to deceive victims into trusting fraudulent content, potentially leading to credential theft or financial loss. The importance lies in protecting users from social engineering attacks that exploit well-known brands to gain unauthorized access.

The domain was registered through Cloudflare, Inc. on February 21, 2026, and resolved to IP address 172.66.44.57. It appeared on multiple security blocklists and was flagged by Google Safe Browsing for social engineering risks. Additionally, VirusTotal detected suspicious activity with 15 out of 95 security vendors marking the domain as malicious. At the time of reporting, the domain has been taken offline, and its Cloudflare-hosted page displayed the title "Suspected phishing site | Cloudflare," indicating active mitigation efforts.

Users are strongly advised to avoid interacting with this domain or similar sites. Do not enter any personal or login information if you encounter suspicious Coinbase-related URLs, especially those that differ from official domains. Always verify URLs and consider using multi-factor authentication on your accounts. Reporting such phishing attempts to security teams and service providers helps prevent further victimization.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 403)
- Target brand: Coinbase
- Page title: Suspected phishing site | Cloudflare

## Domain Intelligence
- Registered: 2026-02-21 07:01:08
- Registrar: Cloudflare, Inc.
- Country: US
- IP: 172.66.44.57
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: ["zainab.ns.cloudflare.com", "carl.ns.cloudflare.com"]
- SSL Issuer: Google Trust Services / WE1

## Detection Status
- VirusTotal: 15 vendors flagged
  Vendors: ["ADMINUSLabs", "ChainPatrol", "alphaMountain.ai", "BitDefender", "Chong Lua Dao", "CyRadar", "ESET", "Fortinet", "G-Data", "Google Safebrowsing", "Kaspersky", "Lionic", "Sophos", "VIPRE", "Webroot"]
- Google Safe Browsing: FLAGGED
- Blocklists: 3 hits
  Lists: ["PhishDestroy", "MetaMask", "SEAL"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019cb101-4383-7298-a837-58c4ab7c0abc.png
- Cloudflare Radar: https://radar.cloudflare.com/scan/3803416c-3d90-4e03-a707-bbd5cc33503e
- PhishDestroy: https://phishdestroy.io/domain/get-coinbase-extnsion.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/get-coinbase-extnsion.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/get-coinbase-extnsion.pages.dev/
Last updated: 2026-03-19