context safety score
A score of 30/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
script/meta redirect patterns detected in page source
cloaking
Page conditionally redirects based on referrer or user-agent
cloaking
Page loads content in transparent or zero-size iframe overlay
js obfuscation
JavaScript uses Function constructor for runtime code generation
obfuscated code
CDN resource URLs are systematically obfuscated using base64-encoded subdomains and domain components separated by UUID tokens (e.g., 'https://MGxvOWVpLTIwODktcHBw@e21f93a3-4cc3-424c-aff0-6c7931e4f59d.b3NzLWFjY2VsZXJhdGUuYWxpeXVuY3MuY29t@e21f93a3-4cc3-424c-aff0-6c7931e4f59d/...'). Decoded: subdomain '0lo9ei-2089-ppp' and domain 'oss-accelerate.aliyuncs.com'. Additionally, the word 'description' is split as 'dec2NyaXB0@...ion' where 'c2NyaXB0' decodes to 'script', deliberately fragmenting sensitive keywords to evade static scanners. (location: page.html: multiple inline script blocks and JSON config object)
malicious redirect
Multiple redirect chains are present: (1) Browser-sniffing redirect to '/pages/browser/index.html?from='+encodeURIComponent(window.location.href) passes the full originating URL as a parameter to an intermediate page; (2) WeChat user-agent detection redirects to '/pages/wechat/index.html?payload=' with a base64-encoded JSON payload containing the original URL; (3) Device-type redirect using '__device_redirect' URL parameter manipulates the user's path. These mechanisms fingerprint users and route them through intermediate pages before reaching the actual content. (location: page.html: inline scripts near </head> and body; LOBBY_UTILS.redirect() function)
hidden content
A 1x1 pixel invisible iframe (height=1, width=1, position=absolute, visibility=hidden) is injected into the document body to execute a Cloudflare challenge script from '/cdn-cgi/challenge-platform/scripts/jsd/main.js'. This hidden iframe silently runs JavaScript in a separate document context without user awareness. Additionally, an 'antiban' overlay element (z-index:99999, covers full viewport) is defined in CSS, acting as a full-screen interception layer that can be triggered programmatically. (location: page.html: Cloudflare challenge injection script block near end of body; .antiban CSS class)
credential harvesting
The site (678BD.com, an online gambling platform targeting Bangladesh) collects extensive personal data through login/registration flows: phone number, password, email, CPF (taxpayer ID), KYC documents (eKYC face scan, identity documents), employer name, income source, place of birth, and full name. FingerprintJS is deployed with public key 'cIMrDd2qJKZFByajXD7O' for device fingerprinting. Geetest behavioral analytics IDs are present for Android, iOS, and web. SMS phone verification is enabled. The site operates from 678bd44.com (244 days old) while branding as 678BD.com, 678bd.app, and 678bd.org — suggesting the .com brand's credentials are being harvested through a surrogate domain. (location: page.html: LOBBY_SITE_CONFIG JSON object; fingerprintJS and geetest config fields; legalUser* KYC fields)
social engineering
The site aggressively uses social engineering tactics: (1) Promises of BDT 200 referral bonuses and 3.7% lifetime agent commissions to recruit users as 'agents'; (2) PAGCOR (Philippine Amusement and Gaming Corporation) regulatory authority is falsely invoked in KYC freeze warnings to create urgency and coerce users into submitting identity documents within 72 hours or face account suspension; (3) Active Telegram group links (t.me/+vbUcH2kK8Kg4ZGI9, t.me/mjl77BD) and a WhatsApp channel are embedded in promotional banners to move users to unmonitored communication channels; (4) Login slogan uses Bengali language targeting Bangladeshi users who may not recognize the domain mismatch. (location: page.html: meta description, loginSlogan field, legalUserEkycTips/legalUserFreezeTips fields, announcement banner HTML)
brand impersonation
The site is hosted at 678bd44.com but consistently brands itself as '678BD.com' across title, OG tags, Twitter cards, and all user-facing content. The site also references sister domains 678bd.app, 678bd.org, and ios678bd.com, creating a network of domains around the '678BD' brand. The actual scanned domain (678bd44.com) does not match any of the branded domains, indicating this is either a clone, a backup/redirect domain, or a surrogate used to survive takedowns of the primary 678BD.com brand. The page title in HTML explicitly reads '678BD.com' while the real domain is 678bd44.com. (location: page.html: <title> tag, og:title, twitter:title meta tags; siteName and title fields in LOBBY_SITE_CONFIG)
malicious redirect
An in-page banner/popup contains a jumpUrl redirect to 'https://77bd.com/' — a separate domain — suggesting users can be silently redirected to a different gambling or potentially malicious site via ad banner interaction. The redirect is configured with jumpAction:1 in the site config data. (location: page.html: messageBannerIndex config object with jumpUrl field pointing to 77bd.com)
obfuscated code
External APK files (Android apps) are hosted on an Amazon S3 bucket with an obfuscated bucket name ('6rlwax-2089-ppp') and served via URLs with cache-busting timestamp parameters. Three APK variants are present: bf424c_sn.apk (v1.1.50, 6.77MB), bf424c_nn_v3.apk (v6.3.5), and bf424c_nn64_v3.apk. Additionally, iOS configuration profiles (.mobileconfig files) are distributed via the obfuscated Aliyun CDN — iOS mobileconfig files can install root certificates or VPN profiles that intercept all device traffic. (location: page.html: apiGetAppDownloadInfo config; mobileconfig entries in download config with links to ios678bd.com and 678bd.org)
hidden content
The page uses 'deleteOgImage()' function that programmatically removes all og:image meta tags from the DOM at runtime. This suggests the page is aware it may be scraped by bots or link-preview crawlers and deliberately alters its metadata after page load to present different content to crawlers versus real users — a cloaking technique. (location: page.html: deleteOgImage() function in LOBBY_UTILS object)
social engineering
A sensor/analytics URL pattern 'https://*.lunamon.net' is configured as the sensorBaseUrl, alongside a UUID-based LOG tracking identifier (e4f3804558aa1bae2fc0b9244023981b). The domain lunamon.net is used as a behavioral analytics/sensor data collection endpoint, enabling covert user behavior tracking across the session without explicit disclosure. (location: page.html: sensorBaseUrl and LOG.uuid fields in LOBBY_SITE_CONFIG)
curl https://api.brin.sh/domain/678bd44.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
678bd44.com currently scores 30/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.