diff --git a/indicators/coinbase-recovery-phrase-phishing.yml b/indicators/coinbase-recovery-phrase-phishing.yml
new file mode 100644
index 00000000..4a22b61a
--- /dev/null
+++ b/indicators/coinbase-recovery-phrase-phishing.yml
@@ -0,0 +1,18 @@
+title: Coinbase Recovery Phrase Phishing
+description: Detects Coinbase recovery phrase scam websites.
+
+references:
+    - https://urlscan.io/result/68d77307-6932-4eae-b7b0-ca8157b2a50f/
+    - https://urlscan.io/result/bdf5c218-896f-4e17-b5ef-2b67f80041e2/
+    - https://urlscan.io/result/4a5ee737-6cf8-4028-9bfc-4e93afbe6627/
+
+detection:
+  imagefile:
+    # This image file is used on a lot of Coinbase scams in their forms.
+    html|contains: 'https://i.postimg.cc/zG3nVT0g/cb675.png2'
+
+  condition: imagefile
+
+tags:
+    - Coinbase Phishing
+    - Crypto Scams