context safety score
A score of 40/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page loads content in transparent or zero-size iframe overlay
brand impersonation
The page is hosted on toto12emperor.net but clones the full UI of Ubuy (ubuy.com) — an international e-commerce platform — including Ubuy's CDN assets, scripts, payment icons, navigation structure, store-switcher, and 'TRUST ENSURED WITH' PCI DSS/ISO seals. The actual brand being promoted is TOTO12, an Indonesian online gambling site (Togel/Slot/Casino), overlaid on top of stolen Ubuy branding and infrastructure. (location: page.html — entire page structure; <head> CDN references to d3ulwu8fab47va.cloudfront.net, d2ati23fc66y9j.cloudfront.net, ubuyanalytics.ubuy.com; footer 'UBUY' section lines 841-870)
malicious redirect
All functional links (LOGIN, DAFTAR/Register, brand logo, navigation categories, 'Sign in', 'Create an Account', footer links, social media icons) point to https://assetlandingpages.xyz/dcgirlinpearls/ — an unrelated third-party domain that acts as the actual destination for all user clicks. The canonical URL and og:url also redirect to https://dcgirlinpearls.com/2021/12/trader-joes-marula-oil-review/, a hijacked blog post. Users clicking any link on the page are silently redirected away from toto12emperor.net to assetlandingpages.xyz. (location: page.html lines 362-363 (LOGIN/DAFTAR buttons), line 173 (logo href), lines 180-286 (search form action and all category links), lines 398-400 (Sign in/Create Account), line 47 (canonical), line 753-760 (sidebar DAFTAR/LOGIN buttons))
phishing
The page mimics a legitimate e-commerce product page (Ubuy) to lure users into clicking 'LOGIN' and 'DAFTAR' (Register) buttons that redirect to assetlandingpages.xyz — a likely credential-harvesting landing page for the TOTO12 gambling site. Users believe they are registering or logging into a known shopping platform when they are actually being funneled into a gambling registration flow on a third-party domain. (location: page.html lines 753-760 (DAFTAR/LOGIN buttons linking to assetlandingpages.xyz), lines 362-363 (header LOGIN/DAFTAR links))
credential harvesting
The page presents fake 'Sign in' and 'Create an Account' links styled identically to Ubuy's real auth flows, but all href values point to https://dcgirlinpearls.com/2021/12/trader-joes-marula-oil-review/ or https://assetlandingpages.xyz/dcgirlinpearls/. Any credentials entered at the destination page would be collected by the attacker-controlled domain, not a legitimate service. (location: page.html lines 398-401 (Sign in / Create an Account dropdown), lines 362-363 and 753-760 (LOGIN/DAFTAR CTA buttons))
hidden content
The og:url, canonical link, amphtml link, Twitter app URLs, Apple App Links (al:ios:url, al:android:url), and al:android:app_name ('Ubuy Global Shopping App TOTO12') all embed dcgirlinpearls.com URLs. The apple-itunes-app meta tag uses app-id=613084551 and google-play-app uses com.ubuy, falsely attributing the page to Ubuy's real app store listings. These metadata fields are invisible to users but consumed by crawlers, AI agents, and social preview engines — causing the page to appear as a legitimate Ubuy product listing in any automated context. (location: page.html lines 20, 34, 37, 39, 42, 47-52 (og:url, Twitter app URLs, App Links meta, canonical, amphtml))
social engineering
The page fabricates trust signals: (1) a fake '978,789,908' user rating count with 5 stars, (2) fake '188,162 Ulasan (reviews)', (3) 'Imported from TOTO12' label styled as a legitimate import badge, (4) PCI DSS compliance seal and ISO certified badge loaded lazily — the ISO image src actually points to photosaya.io/images/2026/02/11/done-gift-logo-toto12.gif (the TOTO12 logo), not a real ISO certificate. These fabricated signals are designed to pressure users into registering with the gambling platform. (location: page.html lines 709-711 (978,789,908 rating), line 732 (188,162 Ulasan), lines 977-990 (PCI DSS / fake ISO seal), lines 529-531 (Imported from TOTO12 badge))
prompt injection
The page title, meta description, og:title, twitter:title, and on-page H1 all contain the phrase 'Link Alternatif Resmi TOTO12 untuk Daftar & Login Cepat Tanpa Kendala' (Official Alternative Link TOTO12 for Fast Register & Login Without Obstacles). The al:android:app_name is set to 'Ubuy Global Shopping App TOTO12', and the twitter:app:country is set to 'TOTO12'. These fields are designed to inject TOTO12 branding into AI summarization pipelines, search engine snippets, and social media previews — causing AI agents crawling the page to associate Ubuy's legitimate brand with TOTO12 gambling services. (location: page.html lines 7, 12, 17, 27, 37, 44 (title/meta/og/twitter fields with injected TOTO12 brand text))
hidden content
JavaScript suppresses all browser dialog functions at page load: alert = confirm = prompt = function() {}. This prevents any browser security warnings, phishing alerts, or confirmation dialogs from appearing to the user — a common technique used on malicious pages to silently block native browser protections. (location: page.html lines 54-56 (<script> alert = confirm = prompt = function() {}))
hidden content
The 'CITIES COVERED' footer section displays gambling market names (TOTO MACAU, HONGKONG, SGP, SDY, TAIWAN, JAPAN, LIBANON, JAKARTA) — these are Indonesian lottery (Togel) market names that reveal the true purpose of the site. The link title attributes for these items contain Indonesian city names (MEDAN, JAKARTA, BEKASI, KABAN JAHE, etc.) that differ from the displayed text, obfuscating the gambling content from casual inspection. (location: page.html lines 927-942 (CITIES COVERED footer list with mismatched title/text attributes))
curl https://api.brin.sh/domain/toto12emperor.netCommon questions teams ask before deciding whether to use this domain in agent workflows.
toto12emperor.net currently scores 40/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.