context safety score
A score of 36/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page loads content in transparent or zero-size iframe overlay
brand impersonation
The domain coolbet-mx.com impersonates the legitimate Coolbet brand (coolbet.com) by registering a typosquat/geo-variant domain with '-mx' suffix. The site reproduces Coolbet branding, logos, casino content, and bonus offers to deceive users into believing it is the official Coolbet Mexico platform. Domain is only 104 days old and hosts content serving affiliate/redirect URLs to a separate domain (bet777-mx.com, img.bet777-mx.com). (location: https://coolbet-mx.com / page.html:10, page.html:260, metadata.json)
phishing
The site poses as an official Coolbet casino platform for Mexican users, advertising fake bonuses (AU$1,540 + 600 FS, bono $2770MXN, bono $800 MXN sin depósito) to lure users into clicking through to /khuyen.php — a redirect endpoint on the same server likely leading to a third-party gambling affiliate or credential-harvesting site. Multiple CTAs ('Reclamar bono', 'Regístrate ahora') are designed to funnel users into registrations. (location: page.html:651, page.html:996, page-text.txt:401, page-text.txt:746)
malicious redirect
Multiple links and CTAs throughout the page (header ad, sidebar, footer, floating popup button) all redirect to /khuyen.php via window.open() in JavaScript. This endpoint is an opaque redirect target not on the legitimate Coolbet domain. Images and assets are served from a separate domain (img.bet777-mx.com), indicating a shadow infrastructure. The floating popup script (fp-popup) explicitly sets REDIRECT_URL = '/khuyen.php' and opens it in a new window on click. (location: page.html:266, page.html:873, page.html:996, page.html:1258, page-text.txt:974)
social engineering
The site employs multiple high-pressure social engineering tactics: (1) animated floating popup with random shake animations to draw attention and trigger clicks; (2) urgency-inducing bonus claims ('bono sin depósito de hasta $800 MXN', 'Bono $2770MXN', 'AU$1,540 + 600 FS + secret bonus'); (3) rainbow animated CTA buttons designed to attract clicks; (4) fake 'welcome bonus with promo code TOP30' instructions mimicking real casino promotions; (5) countdown-style re-appearance of popup every 50 seconds to persistently pressure users. (location: page.html:651, page.html:996, page-text.txt:401, page-text.txt:911-1068)
hidden content
A floating popup image element (.fp-popup-container) is injected at z-index 2147483647 (maximum possible z-index) and positioned fixed at center of screen, overlaying all page content. It is marked aria-hidden='false' to appear accessible but is functionally an intrusive overlay not part of the page content. Additionally, CSS comments are written in Chinese (indicating the actual developer context is hidden from Spanish-speaking users), and background images are loaded from an external domain (img.bet777-mx.com) obscuring the true content infrastructure. (location: page.html:1194-1251, page.html:118, page-text.txt:911-961)
prompt injection
A post title on the site contains a literal AI content-generation instruction leaked into the public page: 'coolbet bonos gratis casino。El primer párrafo debe contener la palabra clave " juegos de casino con bono sin deposito " en su totalidad y debe comenzar con una pregunta.' This is a raw AI prompt instruction that was accidentally published as a post title and slug, indicating the site content was mass-generated using AI with prompt instructions exposed. This constitutes a prompt injection artifact visible to AI agents crawling the site. (location: page.html:848-856, page-text.txt:605)
brand impersonation
The site's footer contains a network of 'dofollow' links to other suspected impersonation/affiliate domains using 'www-' prefixed non-standard URLs (e.g., https://www-888casino.com, https://www-betsson.com, https://www-pokerstars.com, https://www-codere.com) that impersonate major legitimate gambling brands. These are not official brand domains and are consistent with a network of brand-squatting affiliate sites. (location: page.html:998-1022)
social engineering
The footer displays a physical Mexican address (Calle López Cotilla 1780, Col. Arcos Vallarta, Guadalajara, Jalisco) and a phone number (+52 81 5904 8863) to create a false appearance of legitimacy as a real registered business. The embedded Google Maps iframe shows 'Hotel Abastos Plaza' — unrelated to Coolbet — suggesting the address is fabricated or borrowed to add credibility. (location: page.html:996, page.html:998)
curl https://api.brin.sh/domain/coolbet-mx.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
coolbet-mx.com currently scores 36/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.