context safety score
A score of 27/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
hidden instruction
high hidden content ratio detected in DOM
encoded payload
suspicious base64-like blobs detected in page content
brand impersonation
Site is hosted at mexc.co — a lookalike domain impersonating the legitimate MEXC cryptocurrency exchange (mexc.com). The .co TLD is a common typosquatting/impersonation vector. The site renders full MEXC branding, UI, and content while operating from an unofficial domain not listed among the canonical hreflang alternates (which all point to mexc.com or mexc.fm). (location: domain: mexc.co vs legitimate mexc.com)
malicious redirect
Inline JavaScript on page load inspects referrer and URL parameters (gclid, msclkid, yclid, invitecode, sharecode). If traffic originates from a search engine (Google, Bing, Yandex) with ad-click tracking IDs and a non-MEXC invite/share code, the script silently redirects to https://www.mexc.com/. This conditional redirect cloaks the impersonation site from search engine crawlers and security scanners arriving via ad traffic, while serving the fake site to organic/direct visitors — a classic cloaking technique. (location: page.html lines 38-75, window.location.href redirect to https://www.mexc.com/)
credential harvesting
The site fully replicates the MEXC login/registration interface (remote-login-register-modal component loaded dynamically) on a non-official domain (mexc.co). Users entering credentials (email, password, 2FA codes) on this impersonation site would be submitting them to infrastructure controlled by the site operator, not the legitimate MEXC exchange. (location: page.html line 103, remote-login-register-modal component; page-text.txt Sign Up / login flows)
phishing
The mexc.co domain presents a pixel-perfect clone of the MEXC exchange homepage including branding, trading UI, bonus offers ($10,000 New User Bonus), and sign-up CTAs. This is a fully-functional phishing site designed to deceive users into believing they are interacting with the legitimate MEXC exchange at mexc.com. (location: page-text.txt lines 1-3; page.html full document)
social engineering
Aggressive urgency-based lures are used to pressure users into registering: '$10,000 New User Bonus Ends in 48:00:00', 'Sign Up & Get 10,000 USDT', 'Earn up to 600% APR'. These fabricated incentives are designed to override rational caution and drive rapid credential submission on the impersonation site. (location: page-text.txt lines 1-2)
hidden content
Two zero-dimension hidden iframes load Google Tag Manager containers (GTM-WX9LQSVW and GTM-MJQKJST) with display:none;visibility:hidden. While GTM itself is a legitimate analytics tool, its use on an impersonation domain enables invisible tracking of visitor behavior, session data, and potentially exfiltration of form input events without user awareness. (location: page-text.txt line 1: iframes src googletagmanager.com GTM-WX9LQSVW and GTM-MJQKJST)
curl https://api.brin.sh/domain/mexc.coCommon questions teams ask before deciding whether to use this domain in agent workflows.
mexc.co currently scores 27/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.