context safety score
A score of 37/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
script/meta redirect patterns detected in page source
brand impersonation
The site operates as 'The RarBg' (therarbg.to), directly impersonating the now-defunct RARBG torrent site (rarbg.com/rarbg.to) which shut down in May 2023. It reuses the RARBG brand identity, logo (therarbg.svg, rbg.png), name, and category structure to attract users who trusted the original site, exploiting that brand recognition for traffic and ad revenue. (location: page.html:<title>, <img src='/static/rarbg/image/therarbg.svg'>, footer '© 2025 The RarBg')
malicious redirect
A third-party JavaScript file is loaded from the unrecognized external domain 'finestmortifyfertility.com' — a suspicious, randomly-named domain with no apparent legitimate purpose. This is a classic malvertising/malicious script injection vector that could perform drive-by downloads, credential harvesting, redirects, or ad fraud. It is loaded synchronously in the <head>, giving it full DOM access before page render. (location: page.html:49 — <script type='text/javascript' src='//finestmortifyfertility.com/6c/1f/3c/6c1f3c85c99e62eb028505b3f6b22cd4.js'>)
hidden content
A Cloudflare challenge-platform script is injected via a hidden 1x1 pixel iframe (position absolute, visibility hidden, border none) that dynamically creates and appends script tags to load '/cdn-cgi/challenge-platform/scripts/jsd/main.js'. While Cloudflare bot-challenge scripts are common, the obfuscated self-executing IIFE pattern with a hidden iframe is used here in a way that obscures execution from casual inspection. (location: page.html:220 — inline <script> IIFE injecting hidden iframe and dynamic script)
social engineering
The site distributes cracked, patched, and pre-activated commercial software (CorelDRAW, IDM, Topaz Photo Pro, PowerISO, TreeSize Professional, Blue Iris) under the 'Apps' category. These 'crack', 'keygen', 'patch', and 'pre-activated' torrents are social engineering lures that entice users into downloading software that commonly bundles malware, ransomware, or RATs. (location: page.html:4531-4902 — Apps torrent listings including 'CracksHash', 'haxNode', 'AppDoze' crack releases)
social engineering
The footer contains an Ethereum donation address (0x5C8Ba662A48811B52D8A24074569A10B03245bf9), soliciting cryptocurrency from users under the guise of supporting a community torrent site. This is a common technique used by piracy/scam sites to collect funds anonymously while maintaining plausible deniability. (location: page.html:5011 — 'Donation ETH Address: 0x5C8Ba662A48811B52D8A24074569A10B03245bf9')
malicious redirect
The footer links to two external third-party proxy sites: 'https://technoxyz.com/rarbg-proxy-unblock' and 'https://thepiratebayproxy.github.io/' — neither of which is controlled by the site operator. These proxy aggregator pages are commonly used to redirect users to additional piracy infrastructure, phishing pages, or malvertising networks. (location: page.html:4972-4987 — footer links to technoxyz.com and thepiratebayproxy.github.io)
hidden content
A Tor/onion address is embedded in the page header as an HTTP meta tag ('onion-location'), advertising a dark web mirror at 'http://therarbgscpvql6p2e3upz7xyqb4ornupyznim5rlriycjfvcwnz7ayd.onion'. This silently redirects Tor Browser users to the onion version of the site without user awareness or consent. (location: page.html:36 — <meta http-equiv='onion-location' content='http://therarbgscpvql6p2e3upz7xyqb4ornupyznim5rlriycjfvcwnz7ayd.onion'>)
curl https://api.brin.sh/domain/therarbg.toCommon questions teams ask before deciding whether to use this domain in agent workflows.
therarbg.to currently scores 37/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.