context safety score
A score of 34/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
phishing
3 deceptive links where visible host does not match destination host
brand impersonation
The scanned URL is 23win1.it.com but the page presents itself as the official 23WIN brand (23WIN.COM), with canonical URL set to jyy.uk.com and all content/assets served from jyy.uk.com. The site impersonates the 23WIN gambling brand using a third-party domain chain (23win1.it.com -> jyy.uk.com) with full logo, branding, and content copied from or mimicking the official brand identity. (location: page.html:11-14, metadata.json domain field, <link rel='canonical' href='https://jyy.uk.com/'>)
malicious redirect
The scanned domain 23win1.it.com redirects visitors through an intermediary (3 redirects flagged in pre-scan) ultimately serving content from jyy.uk.com. All internal links, assets, forms, and canonical tags point to jyy.uk.com rather than the scanned domain, indicating a redirect chain designed to obscure the true destination and evade blocklists targeting the primary domain. (location: page.html:14 (canonical), .brin-context.md: Redirects: 3)
social engineering
The page aggressively promotes an unlicensed/offshore gambling platform using fabricated legitimacy claims: falsely claiming Isle of Man, PAGCOR, and Curacao eGaming licenses; claiming SSL 256-bit security; boasting 1 million daily visitors; offering free money (66K, 88K bonuses) to lure users to register; and using urgency and reward language throughout ('Truy cập ngay', 'nhận 66K miễn phí', 'Tặng 88K', 'VIP Thưởng Tới 8888K'). These are classic social engineering tactics to drive financial engagement. (location: page.html:389-401, page-text.txt:202-214, page.html:364)
phishing
The 'ĐĂNG KÝ' (Register) and 'ĐĂNG NHẬP' (Login) buttons in the header and mobile menu link to https://example.com/dang-ky and https://example.com/dang-nhap respectively — placeholder/suspicious off-domain URLs — instead of the site's own domain. This is consistent with a phishing setup where registration/login actions redirect users to a separate credential-harvesting endpoint. This matches the flagged 'off-domain form actions: 1' and 'deceptive link count: 3' in pre-scan. (location: page.html:211-265, page.html:1054-1108)
credential harvesting
Login ('ĐĂNG NHẬP') and registration ('ĐĂNG KÝ') buttons redirect to https://example.com/dang-nhap and https://example.com/dang-ky — domains entirely unrelated to the site's own jyy.uk.com domain. Directing users to input credentials or personal data on an off-domain destination is a credential harvesting vector. The mobile sidebar also contains non-linked register/login buttons (no href), indicating partially constructed phishing infrastructure. (location: page.html:249-265, page.html:1039-1050, page.html:1054-1108)
hidden content
Two tab panels (tab_2329540164 and tab_1445330130) are rendered as active but contain no visible content — they are empty panels used alongside hidden secondary tabs (tab_2447237513, tab_926745477) that contain lists of third-party gambling site links. These partner/affiliate link networks are placed in secondary tabs not visible by default, effectively hiding outbound link networks from casual inspection while still providing SEO link juice and redirect paths to other gambling sites. (location: page.html:700-706, page.html:951-961)
malicious redirect
Hidden tab panels contain networks of outbound links to numerous other gambling domains (uu88vip.za.com, tt88.gr.com, au88.mex.com, pg88vip.it.com, 99okvip.it.com, au88bet.it.com, 88vv.jpn.com, tr88vip.co.com, 555win1.it.com, hm88.network, 555win5.co.com, uu88.miami, hm88.bike, uu88vip.sa.com, pg88.tattoo, 88aa8.it.com, 32winvip.casa, pg88bet.it.com, tt88.mex.com, vz99e.com, 68win.za.com, tr88bet.it.com, loto188.deal, 88aa1.it.com). These links form a coordinated network of gambling redirect sites hidden in inactive tab panels. (location: page.html:703-705, page.html:957-959)
prompt injection
The page content embeds HTML class attributes and data attributes that closely mimic ChatGPT/GPT interface markup (data-message-author-role='assistant', data-message-model-slug='gpt-5-2', data-message-model-slug='gpt-5-mini', data-turn-id containing 'request-WEB:', data-testid='conversation-turn-*', class='agent-turn', class='markdown prose dark:prose-invert'). This is injected inside the visible page content div, designed to make AI web-browsing agents believe they are reading prior AI assistant output, potentially influencing agent reasoning by fabricating a trusted AI response context. (location: page.html:374-416, specifically lines 374, 378, 382, 386 with data-message-model-slug, data-message-author-role, agent-turn classes)
curl https://api.brin.sh/domain/23win1.it.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
23win1.it.com currently scores 34/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.