context safety score
A score of 35/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
phishing
Site impersonates a 'Free Fire Beta Server' verification flow, prompting users to submit their Account ID under the guise of 'Verify Astutech Server Account'. This is a classic lure targeting Free Fire (Garena) game players with a fake beta access promise to harvest account identifiers. (location: page.html:8-9, page.html:46 (title, meta description, TXT.title))
credential harvesting
The page collects a user-supplied numeric Account ID (step1 input, id='acctInput') and optionally Discord OAuth login credentials. Combined with a backend key generation flow, this is a credential harvesting mechanism targeting Free Fire account IDs and Discord identities. (location: page.html:162-174 (step1 div, acctInput field), page.html:136-142 (btnDiscord OAuth))
brand impersonation
The site impersonates Garena Free Fire by referencing 'Free Fire Beta Server' and 'Astutech' (a known third-party Free Fire tools brand) in the page title, meta description, and UI text. It falsely implies official or affiliated beta server access to lend legitimacy. (location: page.html:8 (title: 'Verify Astutech Server Account | Free Fire Beta Server'), page.html:9 (meta description))
brand impersonation
Discord branding (official SVG logo path, 'Sign in with Discord' button) is used to create trust and encourage OAuth login, potentially harvesting Discord session tokens or account access under a fake third-party application context. (location: page.html:136-142 (btnDiscord with Discord SVG logo and txtLogin span))
hidden content
All primary scripts are loaded with a non-standard type attribute 'db8c4ef7e5e1d73ba405a0df-text/javascript' instead of 'text/javascript'. This prevents browsers from executing them directly; a Cloudflare Rocket Loader script is used to re-enable them. This technique obscures script behavior from static scanners and security tools, hiding the true execution flow. (location: page.html:19, 39, 96, 197, 224, 225, 226, 228 (all script tags with obfuscated type attribute))
obfuscated code
A hidden 1x1 invisible iframe is dynamically injected into the DOM via inline script, which then injects a further script element with encoded Cloudflare challenge parameters (base64: 'MTc3MjYzNDE3NA=='). This pattern is used to bypass CSP, fingerprint users, or load additional payloads in a hidden context. (location: page.html:242 (inline IIFE: iframe height=1, width=1, visibility=hidden, injecting CF challenge script))
malicious redirect
Third-party ad script loaded from 'pincersmidnight.com' — a known aggressive ad/redirect network domain — is embedded twice on the page with different ad keys. This network is associated with forced redirects, malvertising, and pop-under ads that can send users to phishing or malware pages. (location: page.html:105 (pincersmidnight.com/9516bb6fc44a24d66a3960f9f9de6164/invoke.js), page.html:206 (pincersmidnight.com/fd34874948aa87bdd99e5c1728b90415/invoke.js))
malicious redirect
An additional third-party tracking/ad script is loaded from 'quge5.com' with a data-zone parameter. This domain is associated with ad fraud and redirect chains, and loads asynchronously without user consent notice. (location: page.html:18 (script src='https://quge5.com/88/tag.min.js' data-zone='192578'))
social engineering
The page uses urgency, reward framing, and fear-of-loss tactics: badges showing time-limited access ('2 hours', '3 hours'), messages about permanent bans for misuse, and a hint that Discord login grants bonus time. These are classic social engineering pressure tactics to compel users to authenticate quickly without scrutiny. (location: page.html:46 (TXT object: badge_normal='2 hours', badge_premium='3 hours', hint_step3='Misuse leads to a permanent ban', hint_step2='Discord login gives you +1 extra hour'))
social engineering
The claim '100% free — never sold anywhere' in hint_step1 is a deceptive trust signal designed to lower user guard against a site that simultaneously runs ad monetization scripts and harvests account IDs, contradicting the stated premise. (location: page.html:46 (TXT.hint_step1: '100% free — never sold anywhere'))
hidden content
A Service Worker is registered at '/sw.js' with root scope. Service workers can intercept all network requests, cache and modify responses, and persist malicious behavior even after the user leaves the page. Registration is hidden inside an obfuscated script block. (location: page.html:20-22 (navigator.serviceWorker.register('/sw.js', {scope: '/'})))
obfuscated code
The main application JavaScript is loaded from a timestamped, non-descriptive path '/stuffs/js/1769938203.js'. This obfuscated filename pattern is used to prevent analysis of the core logic that handles account ID submission, key generation, and backend communication. (location: page.html:17, page.html:226 (preload and script src for /stuffs/js/1769938203.js))
curl https://api.brin.sh/domain/unlockffbeta.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
unlockffbeta.com currently scores 35/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.