# webmail.981009coinbase.com — SUSPICIOUS > PhishDestroy identifies webmail.981009coinbase.com as a Coinbase brand impersonation domain hosting a credential harvester. ## Summary PhishDestroy identifies webmail.981009coinbase.com as an active Coinbase brand impersonation domain operating as a credential harvester designed to deceive users into surrendering their Coinbase login credentials. The domain mimics Coinbase’s webmail infrastructure by embedding the brand name into a subdomain (981009coinbase.com), a common tactic used by threat actors to create an immediate sense of legitimacy. Credential harvesting domains like this one are frequently deployed in phishing campaigns targeting cryptocurrency users, where stolen credentials enable unauthorized access to accounts and subsequent fund theft. This domain does not host a drainer kit in the traditional EVM-based token approval sense but functions as a classic phishing portal to capture user credentials and session tokens. This domain presents multiple red flags confirmed by forensic analysis. The domain resolves to IP 20.169.249.163 and was registered through Sav.com, LLC on March 27, 2026. VirusTotal analysis shows 1 out of 95 security vendors flagged this domain as malicious (1/95). It appears on two independent security blocklists and is flagged as a known Google Safe Browsing (GSB) threat. The SSL certificate is issued by Let’s Encrypt, which does not inherently validate legitimacy but enables the domain to appear secure via HTTPS. These technical indicators collectively confirm its hostile classification and active misuse in credential theft operations. PhishDestroy confirms this domain is currently active and has been blocked by MetaMask and SEAL security systems. Immediate user action includes avoiding any interaction with this domain and never entering credentials or sensitive data. Organizations should block this domain at DNS and network levels using the provided IP (20.169.249.163) and domain name. While response actions have neutralized immediate exposure for most users, the risk remains elevated due to the domain's recent registration date and active status. Continuous monitoring is advised as threat actors frequently re-register similar domains following takedowns. ## Threat Details - Verdict: SUSPICIOUS - Site status: unknown (HTTP ?) - Target brand: Coinbase ## Domain Intelligence - Registered: 2026-03-27 04:37:31 - Registrar: Sav.com, LLC - IP: 20.169.249.163 ## Detection Status - VirusTotal: 1 vendors flagged - Google Safe Browsing: clean - Blocklists: 2 hits Lists: ["MetaMask", "SEAL"] ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/99f837e1-f826-4f82-b010-35e78913c22a - PhishDestroy: https://phishdestroy.io/domain/webmail.981009coinbase.com/ - LLM endpoint: https://phishdestroy.io/domain/webmail.981009coinbase.com/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/webmail.981009coinbase.com/ Last updated: 2026-03-27