# desenmascara.me

> Real-time fraud and scam detection for any website, worldwide. Analyzes intent — not just malware — covering the entire spectrum of web-based fraud that traditional cybersecurity vendors systematically miss: investment scams, fake shops, crypto fraud, unauthorized financial services, brand impersonation, and social engineering. Returns a 0-100 risk score with a human-readable verdict and structured signals. Built for citizens who receive suspicious links via WhatsApp, SMS, or email — and for companies that need fraud intelligence via API.

## The problem this solves

The global cybersecurity industry is excellent at detecting malware, trojans, and credential stealers. It is largely blind to fraud that operates without malicious code: a website selling counterfeit sneakers, a fake Forex broker with a professional design, a crypto wallet that simply vanishes with deposits, or an "investment platform" that is unlicensed in every jurisdiction it operates in. These sites pass every antivirus scan. They get green checkmarks from every URL scanner. And yet they cause the majority of financial losses to individuals and SMEs worldwide.

desenmascara.me detects fraudulent intent, not technical payloads.

## Fraud categories covered

### Investment and financial fraud
Fake brokers, unauthorized Forex/CFD platforms, unlicensed crypto exchanges, fraudulent DeFi projects, pyramid schemes, binary options, fake loan services, payment processors impersonating regulated entities. Cross-referenced against official regulatory warning lists (FINMA, CNMV, IOSCO). A domain matching a regulator warning is immediately classified as FRAUDULENT regardless of any other signals.

### Fake e-commerce and counterfeit shops
Stores selling counterfeit designer goods (watches, handbags, sneakers, electronics) at extreme discounts. Reused Chinese ecommerce builder kits deployed across hundreds of fraudulent domains. Fake supplier networks and drop-shipping fronts impersonating legitimate brands. Detection includes extreme discount heuristics (70%+ off luxury items) and kit fingerprinting via HTML signatures.

### Brand impersonation
Domain-level impersonation analysis detects brand names embedded in suspicious domain structures (e.g. `brand-login.com`, `officialstore-brand.shop`). Works across all brands with a name length ≥ 4 characters. Short brand names (HP, LG, etc.) are excluded to prevent false positives. Impersonation that combines a known brand with a suspicious TLD is escalated to FRAUDULENT.

### Crypto and Web3 scams
Wallet drainers, rug pulls, fake NFT projects, token presale fraud, mining investment schemes, fake exchange interfaces, "airdrop" credential harvesters.

### Phishing and social engineering
Credential harvesting pages impersonating banks, payment processors (PayPal, Stripe), delivery services (DHL, FedEx), and government agencies. Tech support scams, account suspension threats, customs fee fraud. Detection includes HTML form interception signatures and behavioral pattern matching.

### Unauthorized financial services
Sites claiming to offer regulated financial services without authorization. Detection via keyword analysis combined with absence of verifiable regulatory identity.

### AI-generated scam content
Content authenticity analysis detects pages built primarily with AI-generated text — a common signal in mass-produced fraud operations where dozens of near-identical sites are deployed simultaneously.

## How analysis works

Every URL submitted triggers a multi-layer pipeline:

1. **Infrastructure signals** — SSL certificate validity, self-signed detection, domain age (days since registration), registrar reputation, TLD risk classification (.top, .xyz, .tk, .loan, .shop, .store, etc.), IP cluster analysis (how many suspicious domains share the same IP within 30 days).

2. **Content signals** — HTML parsing for phishing kit signatures, suspicious terms, extreme discount patterns, contact information presence, social profile links, financial keywords.

3. **Regulatory intelligence** — Domain matched against offline databases of official warnings from FINMA (Switzerland), CNMV (Spain), and IOSCO (international). Updated periodically.

4. **Brand impersonation analysis** — Structural analysis of the domain SLD against a catalog of known brands. Separate from AI to prevent false positives.

5. **AI evaluation** — OpenAI GPT evaluates all signals together, including a screenshot of the live page when available, and produces a classification (LEGIT / SUSPICIOUS / FRAUDULENT), a natural language justification, identified brand if impersonation is detected, and fraud type.

6. **Risk score computation** — Deterministic scoring function (0-100) combining all structured signals with the AI verdict. Score always stays within the verdict band (a LEGIT site cannot exceed 30; a FRAUDULENT site is always ≥ 61). Continuously calibrated via user feedback.

No blacklists. Every site evaluated from first principles on every submission.

## Risk score

- **0–30 (green):** Legitimate — no significant fraud signals
- **31–60 (yellow):** Suspicious — warning signs, proceed with caution
- **61–100 (red):** Fraudulent — high confidence of malicious intent

Score is computed by a transparent, documented scoring function. Weights for each signal are publicly available on the /api-feed page. Continuously refined using anonymized user feedback (thumbs up/down).

## API

- [API & Developer Documentation](/api-feed): Authentication, endpoints, plans, signal methodology, score documentation
- [Fraud Feed](/fraud): Real-time feed of domains classified as FRAUDULENT

### Key endpoints

- `POST /api/analyze/` — Submit any URL or domain for analysis. Returns a job ID.
- `GET /api/analysis/{id}/` — Poll for results. Response includes verdict, score, justification, citizen signals, detected brands, regulatory warnings, WHOIS data, and full technical analysis.
- `GET /api/feed/` — Paginated fraud intelligence feed with cursor. Growth and Enterprise plans.
- `GET /api/top-signals/` — Aggregate statistics on most common fraud signals currently detected.

### API response (key fields)

```json
{
  "veredict": "FRAUDULENT",
  "ai_score": 84,
  "justification": "Site impersonates BBVA bank. Domain registered 3 days ago on suspicious TLD. Self-signed SSL. Credential harvesting form detected.",
  "fraud_type": "phishing",
  "brands": ["BBVA"],
  "citizen_signals": [
    {"label_en": "CNMV regulatory warning", "positive": false},
    {"label_en": "Domain registered 3 days ago", "positive": false},
    {"label_en": "Self-signed SSL certificate", "positive": false},
    {"label_en": "Possible BBVA impersonation", "positive": false}
  ],
  "regulator_warnings": ["CNMV"],
  "suspicious_terms": ["login", "verify account", "urgent"],
  "domain_age_days": 3,
  "is_self_signed": true
}
```

## Pages

- [Home](/): Submit any URL for instant verification — no account required
- [Pricing & Plans](/pro): Free, Professional, Growth, Enterprise
- [Dashboard](/dashboard): Analysis history, API key management
- [Fraud Feed](/fraud): Live stream of confirmed fraudulent domains
- [API Documentation](/api-feed): Full developer reference including score methodology
- [Top Signals](/top-signals): Most common fraud signals currently detected across the platform

## Pricing

| Plan | Price | Included volume | Key features |
|------|-------|-----------------|--------------|
| Free | $0 | 10 | Full analysis, web UI |
| Professional | €39/month | 100/day | API access, re-analysis, history-scoped brand search |
| Growth | $590/month | 10,000/month | Full API, fraud feed, brand signals, global search |
| Enterprise | Custom | Unlimited | Custom integration, SLA, premium onboarding |

## Use cases

**For individuals:** Verify a link before clicking. Paste any URL — from a WhatsApp message, an SMS, an email, or a social media ad — and get an immediate verdict with a plain-language explanation. No technical knowledge required.

**For financial institutions:** Integrate fraud scoring into customer-facing flows to warn users before they transfer money to a fraudulent platform. Bulk domain lookup available.

**For telcos and ISPs:** Block or flag traffic to fraudulent domains in real time. Integrate fraud feed into network-level filtering.

**For security teams / SOCs / SIEMs:** Ingest the fraud feed as a structured threat intelligence stream. Detect domains that would pass all traditional AV and URL scanners. STIX/TAXII compatibility planned.

**For brand protection teams:** Detect impersonation of your brand across new domain registrations and active fraudulent sites. Brand Protection API (Enterprise).

**For e-commerce platforms and payment processors:** Score seller domains or payment destination URLs during onboarding or checkout to reduce fraud exposure.

**For regulators and financial supervisors:** Track unauthorized entities operating under your jurisdiction using automated detection against existing warning lists.

## What makes this different from existing cybersecurity tools

Traditional URL scanners and antivirus engines excel at detecting technical malware. They are not designed to evaluate whether a site that looks legitimate is actually running an investment scam, operating as an unlicensed broker, or is a counterfeit store using a professional template. These sites have no malicious code to detect.

desenmascara.me was built specifically for this gap:

- Evaluates **intent**, not just code
- Cross-references **official regulatory databases** (FINMA, CNMV, IOSCO) — not community blocklists
- Detects **ecommerce fraud patterns** (builder kits, extreme discounts, counterfeit signals)
- Scores **brand impersonation** structurally, not just via AI hallucination
- Returns **machine-readable structured signals** alongside the AI verdict
- **No reliance on blacklists** — every domain analyzed independently
- **Continuously calibrated** via real-world user feedback

## About

desenmascara.me is a worldwide service. Analyzes any domain or URL regardless of language, country, or TLD. Interface available in English and Spanish. The fraud intelligence feed and API are language-agnostic.

The risk score methodology is fully documented and publicly available at /api-feed.

## Legal

- [Privacy Policy](/privacy)
- [Terms of Service](/terms)
- [GDPR](/gdpr)
- [Refund Policy](/refund-policy)