context safety score
A score of 25/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
hidden instruction
high hidden content ratio detected in DOM
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
The page is served on khelo24match360.com but canonical URL, og:url, sign-up/OTP API endpoints, navigation links, and Terms & Conditions all point to khelo24match777.com. User registration data (username, email, password, mobile) is POSTed to https://khelo24match777.com/sign-up — a different domain than the one being visited. This cross-domain credential submission pattern is characteristic of a clone-site credential harvesting operation. (location: page.html lines 7, 11, 385-388; og:url meta tag; sign-up AJAX POST)
credential harvesting
The login form POSTs credentials (email/username + password) to /api2/login on the current domain, while OTP login sends phone numbers and OTPs to https://khelo24match777.com/api2/sendLoginOtp. Registration credentials (username, email, password, mobile number) are submitted to https://khelo24match777.com/sign-up. The domain visited (khelo24match360.com) is a clone that funnels user credentials to a separate backend domain. (location: page.html lines 385-388, 1206; JavaScript login handler at line 1118-1131)
brand impersonation
The site presents itself as 'Khelo24match' using the same brand name, logo assets, and visual identity as khelo24match777.com, but operates from the distinct domain khelo24match360.com (239 days old). The JavaScript variable 'cloneDomain' is explicitly set to '1', confirming this is a programmatic clone. The OG site_name is 'khelo24match' and canonical points to khelo24match777.com, indicating deliberate impersonation of the parent brand on a shadow domain. (location: page.html lines 7-11, 133-135; metadata.json domain field)
malicious redirect
After successful login, the JavaScript redirects users to /authenticate?client=affiliate&method=link&user=Xhsdksaaa1772629623&token=1772629623 — an affiliate tracking redirect that tags the authenticated session with hardcoded affiliate credentials. This hijacks the user's login to credit an affiliate account without user knowledge or consent. (location: page.html line 1131; page-text.txt line 1048-1050)
hidden content
Multiple login, registration, and password-reset popups are rendered with style='display:none' in the DOM and are fully functional but invisible until triggered by JavaScript. The page-hidden.txt file confirms extensive hidden form content including full login, OTP verification, registration, and password-reset flows — all hidden from normal view but present and operational in the DOM. (location: page.html lines 155, 245, 954; page-hidden.txt lines 1-848)
social engineering
The app download popup fires automatically on page load (openDownloadAppPopup() called in $(document).ready) and displays fabricated social proof: six player profiles each showing large 'Bonus Claimed' amounts (₹8,000–₹15,300) with generic player images, designed to pressure users into downloading the app and registering with urgency. (location: page.html lines 1862-1866, 1704-1763)
social engineering
The site displays a scrolling ticker of fabricated winning records attributed to anonymized usernames (e.g., 'VEN****11 INR 5655.73', 'SHR****11 INR 35637.16') with game names and timestamps, creating false impression of active winning users to manipulate visitors into registering and depositing money. (location: page-text.txt lines 2872-3205)
hidden content
An invisible H1 element with class 'foeSEO' and style='display:none' is present at the top of the body. While currently empty, this pattern is commonly used for SEO cloaking — serving hidden keyword-stuffed content to search crawlers while hiding it from human users. (location: page.html line 85)
curl https://api.brin.sh/domain/khelo24match360.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
khelo24match360.com currently scores 25/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.