# nav-login-coinbase.pages.dev — MALICIOUS

> nav-login-coinbase.pages.dev impersonates Coinbase in a phishing scam. Learn how it was detected and taken offline promptly.

## Summary
PhishDestroy identifies nav-login-coinbase.pages.dev as a high-risk phishing domain impersonating the Coinbase brand. Classified under brand impersonation, this domain was created recently on February 21, 2026, and attempts to deceive users by mimicking Coinbase's login interface. The page title noted was 'Suspected phishing site | Cloudflare,' indicating hosting under Cloudflare's infrastructure.

Technical analysis reveals that nav-login-coinbase.pages.dev resolves to IP address 172.66.47.152 and is registered through Cloudflare, Inc. The domain was flagged by 14 out of 95 security vendors on VirusTotal and appears on two distinct security blocklists, confirming its malicious intent. These indicators collectively point to a well-structured phishing campaign aiming to capture user credentials by exploiting Coinbase's trusted brand.

The current operational status of nav-login-coinbase.pages.dev is offline, reflecting swift action to disrupt the phishing attempt. Although no active threat remains at this domain, users should remain vigilant of similar phishing campaigns. PhishDestroy continues monitoring such domains to provide timely intelligence and safeguard users from credential theft.

## Threat Details
- Verdict: MALICIOUS
- Site status: dead (HTTP 403)
- Target brand: Coinbase
- Page title: Suspected phishing site | Cloudflare

## Domain Intelligence
- Registered: 2026-02-21 07:01:08
- Registrar: Cloudflare, Inc.
- Country: US
- IP: 172.66.47.152
- IP Country: US
- IP City: San Francisco
- IP Org: AS13335 Cloudflare, Inc.
- Nameservers: ["bart.ns.cloudflare.com", "lola.ns.cloudflare.com"]
- SSL Issuer: Google Trust Services / WE1

## Detection Status
- VirusTotal: 14 vendors flagged
  Vendors: ["ADMINUSLabs", "ChainPatrol", "alphaMountain.ai", "BitDefender", "CyRadar", "ESET", "Forcepoint ThreatSeeker", "Fortinet", "G-Data", "Kaspersky", "Lionic", "Sophos", "VIPRE", "Webroot"]
- Google Safe Browsing: clean
- Blocklists: 2 hits
  Lists: ["PhishDestroy", "MetaMask"]

## Evidence
- Screenshot: https://urlscan.io/screenshots/019c8366-013d-71ce-9723-c21cdd37655e.png
- PhishDestroy: https://phishdestroy.io/domain/nav-login-coinbase.pages.dev/
- LLM endpoint: https://phishdestroy.io/domain/nav-login-coinbase.pages.dev/llm.txt

## If You Visited This Site
1. Change any passwords you may have entered
2. Enable 2FA on all related accounts
3. Monitor your accounts for unauthorized activity
4. Report to: FBI IC3, Europol, local authorities

---
Report by PhishDestroy | https://phishdestroy.io/domain/nav-login-coinbase.pages.dev/
Last updated: 2026-03-19