context safety score
A score of 36/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
obfuscated code
Two identical large obfuscated JavaScript blocks appear on the page (in the header and body). Each uses a multi-stage decode pipeline: URI-decode a long encoded string, apply a Caesar-cipher-like character rotation keyed on position index, then split the result into segments by an offset table and reconstruct URLs and function names at runtime. The true targets (ad network endpoints, tracking beacons, or redirect destinations) are fully concealed until execution. This pattern is characteristic of malvertising loaders and drive-by-download frameworks. (location: page.html:452 and page.html:907 (<script data-cfasync="false">!function(){"use strict";for(var n=decodeURI(...)))
malicious redirect
A third-party ad/tracking script 'blackhole.js' is loaded from turbostats.xyz and immediately initialised with a token ('WnGtc9Ubxccy73Wz') and an API endpoint ('https://turbostats.xyz/pAPI'). 'Blackhole' is a known traffic-interception and redirect tool used in malvertising campaigns to silently redirect visitors to exploit kits, scam pages, or credential-harvesting sites based on browser fingerprint and geo-targeting. (location: page.html:8-9 (<script src="https://turbostats.xyz/blackhole.js"> and new Blackhole(...).init()))
malicious redirect
A third-party JavaScript SDK is loaded from jpg6.su (jpg6.su/sdk/pup-sc.js) with data-url pointing to jpg6.su/upload. jpg6.su is an image/file hosting domain with no obvious legitimate affiliation to the site. Loading an external SDK with upload capabilities from an unrelated domain poses a supply-chain risk and can be used to exfiltrate user data or inject further malicious payloads. (location: page.html:4 (<script async src="https://jpg6.su/sdk/pup-sc.js?7" data-url="https://jpg6.su/upload">))
malicious redirect
Multiple prominent navigation links and a dismissible promotional banner redirect users to the external tracking/affiliate domain tt.culinar9sync.com. The URLs follow the pattern of affiliate redirect trackers or malvertising click-funnels (e.g. /685c07c5ddb784ecaf8c168b, /67f3bce0af944b650e25c3de). These opaque identifiers obscure the final destination and are commonly used to route traffic through chains of redirectors before landing on scam, phishing, or adult-subscription-fraud pages. (location: page.html:387-393 (promo banner onclick), page.html:614-618 (nav 'AI PORN'), page.html:636-640 (nav 'AI Jerk Off'), page.html:658-662 (nav 'Premium'))
social engineering
A full-width dismissible promotional banner with the text 'AI Porn is here, Create and Fap' and a 'Try Free 🔞' call-to-action button is injected at the top of the page. Both the title and the button open a popup to tt.culinar9sync.com. This is a classic dark-pattern social engineering technique designed to pressure users (especially on mobile) into clicking before they can consume site content, driving them to potentially fraudulent or subscription-trap adult services. (location: page.html:370-394 (.prm-wrapper block and associated JavaScript))
social engineering
Several forum link-nodes use manipulative, high-pressure language to coerce clicks toward external services: 'You Won't Last 5 Minutes', 'Those AI sluts are dirty as FUCK', 'Create Your AI Cum Slut', 'Generate your AI Trash Whore'. This language is designed to override rational decision-making and drive impulsive clicks to affiliate or subscription-fraud destinations. (location: page.html:1146-1149, 1263-1266 (node descriptions for link-forum nodes 128 and 125))
hidden content
Avatar images and some user-generated content assets are loaded from http://simp6.selti-delivery.ru (plain HTTP, not HTTPS) rather than the site's own origin. Mixed-content HTTP resources on an HTTPS page can be intercepted by a network attacker to inject malicious content, and the selti-delivery.ru domain has no verifiable affiliation with simpcity.cr, suggesting a third-party CDN of unknown trustworthiness. (location: page.html:1099, 1853, 1984, 2091, 2198, 2305, 2412 (img src="http://simp6.selti-delivery.ru/..."))
obfuscated code
A ClickAdu ad network script (//adv.clickadu.net/on.js and //adv1.clickadu.net/bn.js) is loaded with onerror/onload callbacks that invoke obfuscated function names ('wrkuwxv' and 'rbefro') defined inside the large obfuscated blocks. This ties the ad network load to the obfuscated payload execution, meaning the obfuscated code runs in response to ad-script events and can be used to conditionally deploy redirects or exploits. (location: page.html:453 and page.html:908 (<script data-cfasync="false" ... src="//adv.clickadu.net/on.js" onerror="wrkuwxv(15)" onload="wrkuwxv(15)">))
curl https://api.brin.sh/domain/simpcity.crCommon questions teams ask before deciding whether to use this domain in agent workflows.
simpcity.cr currently scores 36/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.