context safety score
A score of 39/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
brand impersonation
The page is hosted at hi2999.com but all structured data, canonical links, og:url, og:site_name, schema.org @id, and breadcrumb item URLs point to hi88xx.com — a different domain. The site impersonates the Hi88 online casino brand using a typosquat/satellite domain to capture traffic intended for the real brand. (location: page.html: <link rel='canonical' href='https://hi8823.com'/> and all schema.org @id / url fields referencing hi88xx.com)
malicious redirect
All JavaScript bundle assets are loaded from a third-party domain: q7sm4r.katawee.net. These bundles (vendor.bundle.js and main.bundle.js) are fully externally controlled and can silently redirect users, harvest credentials, or execute arbitrary code in the browser with no visibility from the static HTML. (location: page.html lines: <script src='https://q7sm4r.katawee.net/system-requirement/Web.PortalNew/UK253-01/6ca1dc292f/vendor.bundle.js'> and main.bundle.js)
credential harvesting
The page title, meta description, and structured data prominently advertise login and registration flows ('Đăng Ký, Đăng Nhập Hi88 Dễ Dàng'). The actual login/register endpoints (hi88xx.com/Login, hi88xx.com/Register) are embedded in breadcrumb schema, while the page itself is hosted on hi2999.com — a pattern consistent with a credential-harvesting mirror site that intercepts user login submissions. (location: page.html lines 80-88: BreadcrumbList items for Đăng Nhập and Đăng Ký pointing to hi88xx.com/Login and hi88xx.com/Register)
hidden content
The page renders no visible content to the user — page-text.txt contains only the JsLoadingOverlay.show() call and no actual page text. All real content is deferred to externally hosted JavaScript bundles from katawee.net, meaning the true page content and functionality is completely hidden from static analysis and cannot be inspected without executing the remote scripts. (location: page-text.txt line 1; page.html <body> contains only a loading overlay and remote script tags)
phishing
The domain hi2999.com hosts a page that fully mimics the Hi88 online casino brand (same branding, Vietnamese-language copy, login/register CTAs, promotions) while the canonical URL points to hi8823.com and all structured data URLs point to hi88xx.com. This multi-domain phishing cluster is designed to deceive users into believing they are interacting with the legitimate Hi88 platform. (location: page.html: <title>, <meta name='description'>, <link rel='canonical' href='https://hi8823.com'/>, schema.org Casino @id pointing to hi88xx.com)
social engineering
The FAQ schema embedded in the page encourages users to join a Telegram channel to receive daily 'free codes' ('Hãy tham gia ngay kênh telegaram Hi88 phát code mỗi ngày'). This is a classic social engineering lure to drive victims to an attacker-controlled Telegram channel (t.me/hi88thongbao) where further exploitation, scams, or malware distribution can occur. (location: page.html lines 160-164: FAQPage schema acceptedAnswer referencing Telegram channel; sameAs field including https://t.me/hi88thongbao)
obfuscated code
The externally loaded JavaScript bundles are served from a non-transparent CDN path (q7sm4r.katawee.net/system-requirement/Web.PortalNew/UK253-01/6ca1dc292f/) with a hash-like directory component, indicating versioned or fingerprinted obfuscated bundles. The page body contains no inline logic — all behavior is opaque and controlled by these remote scripts, which is a standard obfuscation technique to evade static scanning. (location: page.html: script src attributes referencing q7sm4r.katawee.net with path containing hash 6ca1dc292f)
curl https://api.brin.sh/domain/hi2999.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
hi2999.com currently scores 39/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.