context safety score
A score of 33/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page conditionally redirects based on referrer or user-agent
credential harvesting
The initAccount() function reads 'token', 'account', 'password', and 'loginType' from IndexedDB and transmits them via postMessage to a parent window with wildcard origin '*'. This allows any parent frame to receive plaintext credentials including passwords and session tokens. (location: page.html:74-93)
credential harvesting
When loaded in an iframe with query param unTopWindow=true, the page exfiltrates stored credentials (token, account, password, loginType) to the parent window via window.parent.postMessage with no origin restriction ('*'). This enables cross-origin credential theft when embedded by an attacker-controlled page. (location: page.html:77-82)
social engineering
The site advertises a 'free random sign up bonus' and claims users can 'withdraw it after one round of betting', a classic gambling lure used to harvest registration data (name, payment info, credentials) from victims under false pretense of easy winnings. (location: page.html:1-2 (meta description/og:description))
brand impersonation
The page presents itself as 'JILIQQ.APP' while hosted on the unrelated domain fty7f9f9.com (72 days old). The mismatch between the branded identity and the actual domain is consistent with a spoofed or cloned gambling brand site used to harvest credentials from users of the legitimate JILIQQ platform. (location: page.html:6-9, metadata.json)
obfuscated code
window.__APP_CONFIG__.domainInfo contains a large base64/custom-encoded blob (begins with '==AR3UCR3UCR3UCR3Ui...') that is decoded and executed at runtime. The actual configuration and behavior of the app is hidden behind this obfuscation, preventing static analysis of redirect targets, API endpoints, and data exfiltration destinations. (location: page.html:18)
phishing
A newly registered domain (72 days old) with unknown hosting reputation is impersonating a branded gambling app (JILIQQ.APP) to collect user registrations. The combination of a deceptive bonus offer, brand spoofing, and credential storage/transmission code is consistent with a phishing operation targeting gambling platform users. (location: metadata.json, page.html:1-18)
malicious redirect
The page loads the Telegram Web App SDK (telegram.org/js/telegram-web-app.js), integrating with Telegram's mini-app infrastructure. Combined with the obfuscated APP_CONFIG and credential-passing postMessage logic, this enables silent redirects or exfiltration through Telegram bot channels. (location: page.html:115)
hidden content
The page renders an empty <title> tag and places all visible content inside a Vite SPA bundle (/assets/index-B3UOCdSi.js). The actual UI, login forms, and data collection flows are hidden in JavaScript bundles and not present in the static HTML, evading content-based scanners. (location: page.html:115 (<title></title>), page-text.txt:1)
curl https://api.brin.sh/domain/fty7f9f9.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
fty7f9f9.com currently scores 33/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.