context safety score
A score of 40/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page conditionally redirects based on referrer or user-agent
brand impersonation
The site dfbocai.net fully impersonates Dafabet (dafabet.com), copying its branding, logo, title ('Dafabet is The Most Secure Online Betting Company in Asia'), layout, content, and even canonical/hreflang tags pointing to www.dafabet.com. The domain dfbocai.net is not dafabet.com and operates as a lookalike clone of the legitimate Dafabet gambling brand. (location: page.html: <title>, <meta>, <link rel='canonical'>, logo, footer — entire page)
credential harvesting
A fully functional login form (username + password fields) POSTs credentials to /en/login on the impersonator domain dfbocai.net. Users who believe they are on the real Dafabet site will submit their credentials directly to the attacker-controlled server. (location: page.html line 29: <form name='LoginForm' method='post' action='/en/login'>)
phishing
The site is a phishing clone of dafabet.com hosted on dfbocai.net. It mimics the legitimate Dafabet gambling portal — including branding, sponsorship logos, promotions, and legal text — to deceive users into believing they are on the real site and submitting login credentials or registering accounts. (location: page.html — entire page; metadata.json: url=https://dfbocai.net)
malicious redirect
A domain synchronization script pushes 'login.wsocdd.com' into a self.$domainSync array on page load. This unknown third-party domain is silently registered as a sync target, indicating cross-domain session tracking or redirect infrastructure used to relay authenticated sessions or track users across attacker-controlled domains. (location: page.html line 18: self.$domainSync.push('login.wsocdd.com'))
malicious redirect
The Facebook social link does not point to facebook.com/dafabet but instead redirects through dfgameplay.com/gjdnjr — an unrelated third-party domain that could be an attacker-controlled redirect or affiliate tracking link used to obscure the final destination. (location: page.html line 379: href='https://dfgameplay.com/gjdnjr')
social engineering
The site includes a 'Identify Fake vs Real Casino' footer link (pointing to /en/spot-fake-website on the impersonator domain itself), a tactic used by phishing sites to preemptively disarm victim suspicion by appearing to warn about fakes while being the fake itself. (location: page.html line 378: <a href='https://www.dfbocai.net/en/spot-fake-website'>Identify Fake vs Real</a>)
hidden content
A 0x0 invisible iframe loads Google Tag Manager noscript content (display:none;visibility:hidden). While GTM itself is legitimate, the GTM container ID GTM-TQD7V7Q is loaded on an impersonator domain and could be used to inject additional scripts, exfiltrate form data, or load malicious payloads dynamically without appearing in the static HTML. (location: page.html line 431: <noscript><iframe src='https://www.googletagmanager.com/ns.html?id=GTM-TQD7V7Q' height='0' width='0' style='display:none;visibility:hidden'>)
credential harvesting
Google Analytics scripts read the 'username' cookie value and transmit it as a userId and dimension3 parameter to Google Analytics. On a phishing site, this leaks authenticated usernames to analytics endpoints and potentially to the attacker's GTM/GA account (UA-50208224-21, UA-89039619-1). (location: page.html lines 458-478: readCookie('username') sent via ga('set','userId',userId))
curl https://api.brin.sh/domain/dfbocai.netCommon questions teams ask before deciding whether to use this domain in agent workflows.
dfbocai.net currently scores 40/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.