context safety score
A score of 38/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
script/meta redirect patterns detected in page source
cloaking
Page conditionally redirects based on referrer or user-agent
cloaking
Page loads content in transparent or zero-size iframe overlay
js obfuscation
JavaScript uses Function constructor for runtime code generation
obfuscated code
Site configuration JSON is obfuscated using base64-encoded tokens embedded in the HTML. An array of base64 strings (e.g., 'c2NyaXB0', 'c2R0dmtrLTEwNzMtcHBw', 'b3NzLWFjY2VsZXJhdGUuYWxpeXVuY3MuY29t') are used as keys to dynamically replace text in the config at runtime via atob() and decodeURIComponent(). The actual CDN host (sdtvkk-1073-ppp.oss-accelerate.aliyuncs.com) is hidden and replaced with location.origin to mask the true asset origin. (location: page.html - inline <script> block containing LOBBY_SITE_CONFIG initialization)
obfuscated code
Asset URLs throughout the site config use a malformed URL structure embedding base64 strings as fake URL credentials: 'https://BASE64@uuid.BASE64@uuid/path'. For example: 'https://c2R0dmtrLTEwNzMtcHBw@8f3d47ed-25e1-4baf-a36e-084a050fa8f5.b3NzLWFjY2VsZXJhdGUuYWxpeXVuY3MuY29t@8f3d47ed-25e1-4baf-a36e-084a050fa8f5/...'. This pattern deliberately obfuscates the real destination hostname and evades static URL scanners. (location: page.html - registerLoginImg, channelGlobalConfig.appIcon, brandLogoUse, and all media asset URLs)
malicious redirect
JavaScript unconditionally redirects unsupported browsers to '/pages/browser/index.html?from='+encodeURIComponent(window.location.href) via window.location.href assignment in a nomodule script tag. Additionally, a separate redirect() function checks user-agent and performs conditional redirection. The 'antiban' full-screen overlay (z-index:99999) contains an 'antiban-forward' button capable of redirecting users to alternate domains, consistent with anti-detection evasion used by illicit gambling sites. (location: page.html - <script nomodule> tag and antiban CSS/JS block)
hidden content
A 1x1 pixel invisible iframe is dynamically injected into the document body with style position:absolute, top:0, left:0, border:none, visibility:hidden. This iframe is used to inject a Cloudflare challenge script (__CF$cv$params) into the page context. While potentially legitimate for bot detection, the technique is also a known vector for hidden tracking or credential interception. (location: page.html - dynamic iframe creation script at bottom of <body>)
hidden content
Login slogan text is rendered in white (#ffffff) on a white background in the site configuration: '<span style="color: #ffffff;">Refer a friend to receive...' This white-on-white text pattern is a classic technique to embed content invisible to human users but readable by crawlers or AI agents. (location: page.html - loginSlogan value in LOBBY_SITE_CONFIG JSON)
social engineering
Site aggressively promotes unrealistic financial rewards to lure users into registering: '58.88 pesos for free' on registration, 'grab ₱ 55555.55 every day', 'daily commission is as high as 5.0%', 'earn tens of millions a month', 'VIP, no deposit required, receive ₱ every week/month'. These inflated claims are designed to manipulate users into providing personal and financial details. (location: page.html - loginSlogan, loginGameDownloadAppTips, and promotional text in LOBBY_SITE_CONFIG)
credential harvesting
The site is an unlicensed online gambling platform (betpk55.com presenting as 'BetPK Official') collecting sensitive user credentials including phone number, email, password, real name, CPF (tax ID), bank withdrawal passwords, Google Auth tokens, and device fingerprints (FingerprintJS public key: cIMrDd2qJKZFByajXD7O). The site references PAGCOR (Philippine gaming regulator) to add false legitimacy while collecting extensive KYC data including place of birth, employer name, income source, and ID photos. (location: page.html - accountRegister, phoneRegister, emailRegister, securityVerify, and kyc config objects in LOBBY_SITE_CONFIG)
malicious redirect
iOS .mobileconfig profile files are served for download via obfuscated URLs pointing to Alibaba Cloud OSS (sdtvkk-1073-ppp.oss-accelerate.aliyuncs.com). Mobile configuration profiles can install root CA certificates, VPN configs, or MDM enrollment on iOS devices, enabling full traffic interception. Two profiles are linked: '2028660109170044929.mobileconfig' (linked as '88betpk.com' Speed Version) and '1994774289625362433.mobileconfig' (linked as 'apple.iosbetpk.com'). (location: page.html - downloadList entries with type:3 linkType:0 in LOBBY_SITE_CONFIG)
brand impersonation
The site operates as 'betpk55.com' but presents itself as 'BetPK Official' and 'BETPK.APP', referencing the brand domain 'betpk.com' and subdomain variants '88betpk.com' and 'apple.iosbetpk.com'. The numeric suffix '55' in the domain combined with the clean brand presentation is consistent with a typosquatting or satellite-domain strategy used to impersonate or redirect traffic from the primary brand. (location: metadata.json - domain: betpk55.com; page.html - brandName BetPK Official, downloadList links 88betpk.com and apple.iosbetpk.com)
curl https://api.brin.sh/domain/betpk55.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
betpk55.com currently scores 38/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.