context safety score
A score of 32/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
cloaking
Page loads content in transparent or zero-size iframe overlay
brand impersonation
The page is hosted on toto12imperial.com (105 days old) but clones the full UI, CSS, scripts, and assets of Ubuy (ubuy.com / ubuy.com.kh), a legitimate international e-commerce platform. Ubuy branding, Ubuy CDN assets (d3ulwu8fab47va.cloudfront.net, d24epxax9d77vm.cloudfront.net, d2ati23fc66y9j.cloudfront.net), ubuyanalytics.ubuy.com tracking scripts, Ubuy payment logos (PayPal, Visa, Mastercard), and Ubuy footer links ('Ubuy Membership', 'Ubuy Warranty', 'About Ucredit') are all present while the site actually promotes TOTO12 online gambling. (location: page.html:entire page, head/body assets, footer)
malicious redirect
Every navigational link on the page — logo, navbar brand, all category dropdown items, search form action, store-switcher items, 'Sign in', 'Create an Account', footer quick links, social media links, and JavaScript AJAX calls — point to https://crackhomes.com/idm-serial-number-crack/ (a cracked-software distribution site) instead of any legitimate destination. LOGIN and DAFTAR (register) CTA buttons redirect to https://assetlandingpages.xyz/crackhomes/, a third-party landing page. The canonical tag and og:url also canonicalize to crackhomes.com/idm-serial-number-crack/. (location: page.html:lines 20,34,37,39,42,47,52,173,180,191-285,321-330,362-363,398-399,816-955,1011-1035)
phishing
The page presents itself as a legitimate 'Situs Resmi' (official site) for TOTO12 online gambling/lottery, soliciting user registration (DAFTAR) and login (LOGIN) credentials. All credential-capture buttons redirect to assetlandingpages.xyz/crackhomes/, a suspicious third-party landing page not affiliated with any official entity. The domain is only 105 days old, consistent with a short-lived phishing infrastructure. (location: page.html:lines 362-363, 761-768; page-text.txt:lines 265-266, 646-652)
social engineering
The page uses fabricated social proof to pressure users into registering: a fake 4.9-star rating, a grossly inflated review count of 927,554,221, and a fake item ID (188.599.370). A warning note ('Pastikan Anda menggunakan akses daftar dan login resmi TOTO12 agar terhindar dari link palsu') exploits fear of fake links to drive users toward the attacker's own redirect link (assetlandingpages.xyz). Promotional language promises financial rewards and 'kejutan' (surprises) to entice engagement. (location: page.html:lines 528-529, 686-688, 718; page-text.txt:lines 573, 602-604)
hidden content
JavaScript suppresses all native browser dialog functions at page load: `alert = confirm = prompt = function() {};`. This disables browser security dialogs and prevents users from seeing any native confirmation prompts, masking potentially dangerous actions such as redirects or data submissions. Additionally, a hidden zero-dimension GTM noscript iframe is embedded: height=0, width=0, display:none, visibility:hidden. (location: page.html:lines 54-56, 124)
brand impersonation
Open Graph and Twitter Card metadata, App Link metadata, and canonical tags all reference Ubuy app store IDs (613084551 / com.ubuy) and impersonate the 'Ubuy: International Shopping' and 'Ubuy Global Shopping App' apps on iOS and Google Play. The al:ios:app_name is explicitly set to 'Ubuy: International Shopping' while the page content promotes TOTO12 gambling. (location: page.html:lines 33-44, 50-51)
malicious redirect
The amphtml alternate link points to https://assetlandingpages.xyz/crackhomes/, directing AMP crawlers and agents that follow amphtml links to a third-party malicious landing page rather than a legitimate AMP version of the content. (location: page.html:line 48)
social engineering
The footer section header is labeled 'KEYWORDS COVERED' and lists gambling SEO keywords (TOTO12, TOTO TOGEL, SITUS TOGEL, BANDAR TOGEL ONLINE, etc.) as navigational links, all pointing to crackhomes.com. This is a deliberate SEO poisoning technique embedding keyword-stuffed links to manipulate search engine rankings and drive organic traffic to the redirect chain. (location: page.html:lines 935-952; page-text.txt:lines 795-808)
curl https://api.brin.sh/domain/toto12imperial.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
toto12imperial.com currently scores 32/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.