diff --git a/indicators/coinbase-zG3nVT0g.yml b/indicators/coinbase-zG3nVT0g.yml
new file mode 100644
index 00000000..863f3235
--- /dev/null
+++ b/indicators/coinbase-zG3nVT0g.yml
@@ -0,0 +1,18 @@
+title: Coinbase Phishing zG3nVT0g
+description: Detects Coinbase recovery phrase scam websites. Often hosted on Glitch (https://glitch.com/).
+
+references:
+    - https://urlscan.io/result/68d77307-6932-4eae-b7b0-ca8157b2a50f/
+    - https://urlscan.io/result/bdf5c218-896f-4e17-b5ef-2b67f80041e2/
+    - https://urlscan.io/result/4a5ee737-6cf8-4028-9bfc-4e93afbe6627/
+
+detection:
+  imageFile:
+    # This image file is used on a lot of Coinbase scams in their forms.
+    html|contains: 'https://i.postimg.cc/zG3nVT0g/cb675.png'
+
+  condition: imageFile
+
+tags:
+    - target.coinbase
+    - cryptocurrency