It seems easy to prevent for Coinbase.

But what if you get a sign-up from a small local business in Uruguay, from domain xcoffee.com.uy for string "XCoffee" with logo "XCoffee"? You check DNS ownership automatically, email, external SSO, etc. Great.

You even have an employee check their web site and check the string and logo. Fine.

But what you don't know is that there is a real local business called XCoffee with that logo operating, but on domain x-cafe.com.uy, and the request is coming from someone targeting their customers.

How will you prevent that, without hiring hundreds of human investigators as you scale?

DNS registrars have the same problem (if they even try), it's not easily solved.