# learn-coinbasextension-us.pages.dev — MALICIOUS

> Avoid the domain learn-coinbasextension-us.pages.dev—it impersonates Coinbase and is flagged for social engineering. Do not interact with this site.

## Summary
PhishDestroy has identified the domain learn-coinbasextension-us.pages.dev as a malicious site engaging in brand impersonation targeting Coinbase users. This high-risk threat aims to deceive victims into divulging sensitive credentials under the guise of a trusted cryptocurrency platform, posing significant financial and privacy risks.

The domain was registered via Cloudflare, Inc. on February 21, 2026, and resolves to IP address 172.66.47.158. It has appeared on multiple security blocklists and is flagged by Google Safe Browsing for social engineering tactics. VirusTotal analysis indicates that 14 out of 95 security vendors detect this domain as malicious. Notably, the site is currently offline, which helps mitigate immediate risk.

Users should remain vigilant and avoid visiting this domain or clicking on any associated links. If you have interacted with this site, it is advisable to change your Coinbase account credentials immediately and monitor your accounts for suspicious activity. Always verify official Coinbase URLs and use multi-factor authentication to enhance security.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 403)
- Target brand: Coinbase
- Page title: Suspected phishing site | Cloudflare

## Domain Intelligence
- Registered: 2026-02-21 07:01:08
- Registrar: Cloudflare, Inc.
- Country: US
- IP: 172.66.47.158
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: ["hal.ns.cloudflare.com", "dell.ns.cloudflare.com"]
- SSL Issuer: Google Trust Services / WE1

## Detection Status
- VirusTotal: 14 vendors flagged
  Vendors: ["ADMINUSLabs", "ChainPatrol", "alphaMountain.ai", "BitDefender", "CyRadar", "ESET", "Fortinet", "G-Data", "Google Safebrowsing", "Kaspersky", "Lionic", "Sophos", "VIPRE", "Webroot"]
- Google Safe Browsing: FLAGGED
- Blocklists: 3 hits
  Lists: ["PhishDestroy", "MetaMask", "SEAL"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019ccefd-300b-71fe-85a0-c8234c793c24.png
- Cloudflare Radar: https://radar.cloudflare.com/scan/35ae02f2-ba26-4907-aefe-1d70eb0cdd41
- PhishDestroy: https://phishdestroy.io/domain/learn-coinbasextension-us.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/learn-coinbasextension-us.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/learn-coinbasextension-us.pages.dev/
Last updated: 2026-03-19