Pricing

Real-time API to detect fraudulent intent

Plug desenmascara.me into your systems to stop scams before they happen: intent result, real-time feed, and actionable signals.

See JSON sample
Live feedGrowth · Enterprise

Fraud Feed (pull) for B2B integrations

Consume an incremental feed of newly flagged fraudulent domains. Detect brand impersonation and fraud intent the moment it appears — so you can block transactions, deny access, or alert your team before your users become victims.

GET/api/account/fraud-feed/
Authentication
X-API-Key: dm_••••••••••••••••

Generate keys from your dashboard. Revoke at any time.

How it works
  1. 1Call with cursor=0 to start from the beginning.
  2. 2Store next_cursor from each response.
  3. 3Poll again with that cursor to receive only new detections.
Parameters
cursorLast seen cursor (int). Start at 0.
limitItems per call, 1–200. Default: 50.
veredictsFRAUDULENT, SUSPICIOUS, LEGIT — comma-separated.
cURLrequest
curl -s \
  -H "X-API-Key: dm_••••••••••••" \
  "https://desenmascara.me/api/account/fraud-feed/\
   ?cursor=0&limit=3\
   &veredicts=FRAUDULENT,SUSPICIOUS"
Response200 OK
{
  "items": [
    {
      "cursor": 18421,
      "analyzed_at": "2026-02-19T08:14:33+00:00",
      "domain": "bbva-seguro-acceso.com",
      "veredict": "FRAUDULENT",
      "public_id": "a3f1c2d4-7e89-4b1a-9c3f-000000000001",
      "domain_ip": "185.220.●●●.●●●",
      "server_country": "RU",
      "ai_score": 87,
      "justification_ai": "Phishing site impersonating BBVA bank.
        Domain embeds the brand name with a suspicious TLD,
        no verifiable contact, self-signed SSL."
    },
    {
      "cursor": 18422,
      "analyzed_at": "2026-02-19T08:31:07+00:00",
      "domain": "onrunning-outlet.shop",
      "veredict": "FRAUDULENT",
      "public_id": "b7e9a1f3-2c04-4d5e-8f6a-000000000002",
      "domain_ip": "104.21.●●●.●●●",
      "server_country": "US",
      "ai_score": 79,
      "justification_ai": "Fake store impersonating On Running.
        Extreme discounts, .shop TLD, brand name in domain,
        no legitimate contact info."
    },
    {
      "cursor": 18423,
      "analyzed_at": "2026-02-19T09:02:55+00:00",
      "domain": "invest-france24.net",
      "veredict": "SUSPICIOUS",
      "public_id": "c5d2b8e6-3a17-4f9b-b2c1-000000000003",
      "domain_ip": "193.164.●●●.●●●",
      "server_country": "NL",
      "ai_score": 52,
      "justification_ai": "Suspected investment scam mimicking France 24.
        Financial bait language detected, domain registered
        recently, brand impersonation signal."
    }
  ],
  "next_cursor": 18423,
  "limit": 3,
  "veredicts": ["FRAUDULENT", "SUSPICIOUS"],
  "server_time": "2026-02-19T09:03:01.000000+00:00"
}
Domain verificationProfessional · Growth · Enterprise

Domain Check API

Analyze any domain and receive verdict, risk score, technical signals, and AI justification. Supports synchronous (blocking) and asynchronous (202 + polling) modes.

POST/api/v1/unmask/
Authentication
X-API-Key: dm_••••••••••••••••
Parameters (JSON body)
domain*Domain to analyze (required). E.g. "example.com"
asynctrue for async mode: returns 202 immediately, client polls until result is ready (200).
langResponse language: "es" or "en".
forcetrue to force re-analysis (bypass cache).
include_rawtrue to include raw HTML and headers in the response.
Synchronous vs asynchronous mode
Synchronous (default)

The request blocks until the full analysis is ready (10-40s depending on the domain). Ideal for scripts and pipelines where you can wait.

Asynchronous (async: true)

Returns 202 in <100ms. Analysis runs in background. Poll the same endpoint with the same domain until you receive 200 with the final result. The 202 response includes retry_after (recommended seconds between polls) and a Retry-After header.

Synchronous example (cURL)
curl -s -X POST https://desenmascara.me/api/v1/unmask/ \
  -H "X-API-Key: dm_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "example.com"}'
Async example (Python)
import requests, time

url = "https://desenmascara.me/api/v1/unmask/"
headers = {
    "X-API-Key": "dm_YOUR_API_KEY",
    "Content-Type": "application/json"
}

# Submit (returns 202 immediately)
r = requests.post(url, json={
    "domain": "suspicious-site.com",
    "async": True
}, headers=headers)

# Poll until result is ready
while r.status_code == 202:
    wait = r.json().get("retry_after", 5)
    time.sleep(wait)
    r = requests.post(url, json={
        "domain": "suspicious-site.com",
        "async": True
    }, headers=headers)

# r.status_code == 200
result = r.json()
print(result["verificada"])   # LEGIT | SUSPICIOUS | FRAUDULENT
print(result["analisis"]["ai_score"])  # 0-100
Actor intelligenceGrowth · Enterprise

Actor clusters

Every FRAUDULENT domain is automatically clustered with other sites from the same actor via infrastructure pivots: shared TLS certificates, IPs, VirusTotal sibling domains, and tracking IDs (GA/GTM).

GET/api/actors/{actor_id}/
FIELDanalisis.actor_cluster
Pivot sources
crt.shShared TLS certificate SANs (free, no key required)
VirusTotalSibling domains and historical IPs (requires VIRUSTOTAL_API_KEY)
GA / GTM / UATracking IDs extracted from HTML — internal cross-cluster pivot
How it works
  1. 1Every FRAUDULENT verdict with score ≥ 50 triggers the clustering task automatically.
  2. 2Related domains discovered via pivots are added to the same cluster and linked to the actor.
  3. 3The actor_cluster field appears in the analysis response when ≥ 2 domains are in the cluster.
GET /api/actors/{actor_id}/200 OK
{
  "actor_id": "d026be8207c4da34",
  "seed_domain": "bbva-seguro-acceso.com",
  "target_brand": "BBVA",
  "active_domains_count": 12,
  "related_domains": [
    "bbva-acceso-seguro.net",
    "bbva-clientes.shop",
    "bbva-login.top"
  ]
}
actor_cluster in analysis response
"actor_cluster": {
  "actor_id": "d026be8207c4da34",
  "active_domains_count": 12,
  "target_brand": "BBVA"
}
// null when cluster has ≤ 1 domain

What the API delivers

What is in production today — plus what is coming.

Intent verdict: LEGIT, SUSPICIOUS, or FRAUDULENT per domain
AI risk score 0–100 computed in real time from structured signals
Natural-language justification generated by AI (model-agnostic) per analysis
Fraud Feed API — cursor-paginated stream of fraudulent/suspicious domains
Actor Clusters API — groups domains by the same operator via shared TLS certs, IPs, and tracking IDs
Brand Signals API — which brands are being impersonated and on which domains
Global domain search across the full analyzed database
Immutable historical reports with permanent public links
Outgoing webhooks for real-time push notificationsSoon
Bulk Lookup API — CSV/batch submission (banks, telcos, ISPs)Soon
01

1) Check a suspicious domain

Query a domain to receive intent, signals, and explanation.

02

2) Search a brand or term

Get the number of fraudulent sites tied to a brand, product, or keyword.

03

3) Real-time feed

Receive live detections to block access, payments, or campaigns.

How the Risk Score works

Our system combines structured signals into a transparent, verifiable risk score (0-100).

0 – 30
Safe
No significant threats detected.
31 – 60
Suspicious
Some warning signs. Caution recommended.
61 – 100
Dangerous
High probability of fraud. Do not interact.

Signals that contribute to the score

Risk factors — increase score
  • Official financial regulator warnings (+15)
  • Cloudflare 'suspected phishing' interstitial detected (+15)
  • Redirect to a cloaking gate / fake 'human verification' that hides the scam from scanners (+15)
  • Phishing kit detected in HTML (+12)
  • Government portal impersonation (+12)
  • Brand impersonation in the domain (+8)
  • Crypto earning scheme (faucet, paid-to-click, 'earn free BTC') (+8)
  • Young domain (< 30 days old) (+6)
  • No SSL certificate or self-signed cert (+5-6)
  • Suspicious TLD (.top, .xyz, .shop, etc.) (+5)
  • IP cluster with fraudulent neighbours on a dedicated IP with a high ratio (+5-8, only when the IP is not mass-shared and another fraud signal is already present)
  • Domain registered less than 6 months ago (+2-3)
  • Short 1-year registration — common phishing pattern (+3)
  • Extreme discounts or unrealistic prices (+4)
  • Suspicious HTML signatures and fraud terms (+1-8)
  • Hidden AI agent traps — invisible instructions in HTML (+8 to +15)
  • ClickFix / fake-CAPTCHA 'paste-and-run' lure (+6 to +20)
Trust factors — decrease score
  • Domain verified/managed by known entity (-20)
  • Trusted corporate registrar (-15)
  • Verifiable contact information (-4)
  • Active social media profiles (-3)
  • Valid SSL certificate (-2)
  • Active merchant verified by Authorize.Net (-5)
  • Ecommerce certified by Trusted Shops (direct LEGIT verdict)
  • IP cluster with legitimate neighbours on a non-mass-shared IP (-3)

The score is continuously refined using user feedback data and new detections. The final verdict is always consistent with the score range.

Real responses (detected cases)

Real examples with signals, terms, and explanation. `ai_score` (0-100) is computed in real time from detected signals.

1) Domain check (fake ecommerce)
{
  "domain": "www.stylexlab.ru",
  "veredict": "FRAUDULENT",
  "ai_score": 88,
  "date": "2026-01-18T16:30:05+00:00",
  "brands": ["Shop", "gucci"],
  "signatures": ["fromCharCode"],
  "suspicious_terms": [
    "reset your password",
    "outlet",
    "sale",
    "free shipping",
    "reviews"
  ],
  "justification_ai": "The site presents red flags typical of fake online stores, including heavy use of major brand logos and urgent sale language. These factors indicate a high likelihood of a fake store fraud impersonating well-known fashion brands.",
  "screenshot_url": "https://desenmascara.me/screens/4e10bb6841f9b063.png",
  "actor_cluster": {
    "actor_id": "d026be8207c4da34",
    "active_domains_count": 12,
    "target_brand": "Shop"
  }
}
Brand impersonation (On Running)
{
  "domain": "www.onrunningsa.*****",
  "veredict": "FRAUDULENT",
  "ai_score": 91,
  "date": "2026-01-05T21:37:04+00:00",
  "brands": ["On Running", "Shop"],
  "signatures": ["script src="],
  "suspicious_terms": ["outlet", "% off"],
  "justification_ai": "The website attempts to impersonate On Running using discount bait and a suspicious registrar, which aligns with fake store tactics.",
  "screenshot_url": "https://desenmascara.me/screens/af072b94a223c1ef.png"
}
2) Brand search (results count)
{
  "query": "on running",
  "time_window": "30d",
  "results_total": 42,
  "fraudulent": 35,
  "suspicious": 7,
  "top_terms": ["outlet", "% off", "official"],
  "sample_domains": [
    "onrunningsa.*****",
    "onrunning-outlet.*****",
    "oncloud-deals.*****"
  ]
}
3) Real-time feed (investment scam)
{
  "domain": "actu-eco-franceinfo.com",
  "veredict": "FRAUDULENT",
  "ai_score": 83,
  "date": "2026-01-18T10:04:44+00:00",
  "brands": ["franceinfo"],
  "signatures": [],
  "suspicious_terms": [],
  "justification_ai": "Impersonation of a news brand with investment bait and a suspicious domain, indicating a financial scam.",
  "screenshot_url": "https://desenmascara.me/screens/fe44b8708a4dc1dc.png"
}

Real screenshots of fraudulent sites

Real-world examples detected by the system.

Fake ecommerce store example
Fake store with aggressive discounts
Brand impersonation example
Sports brand impersonation
Investment scam example
Fake investment bait
Crypto investment scam example
Crypto investment scam with brand impersonation
Investment platform scam example
Fraudulent investment platform
Retail impersonation example
Retail impersonation (Lidl)

API FAQs

Both. If the domain is already in our database, you get the available result. If it is new or you send force=true, the API triggers a fresh analysis and returns it either synchronously or asynchronously depending on the mode.

The Domain Check API analyzes one domain on demand. The Fraud Feed API delivers an incremental stream of domains already flagged as FRAUDULENT or SUSPICIOUS for blocking, monitoring, and threat-intel workflows.

Responses can include ai_score, a natural-language justification, technical signals, impersonated brands when applicable, evidence from the analysis, and sometimes actor_cluster data that links related domains.

If you send async=true, the endpoint returns 202 almost immediately and tells you when to poll again. You keep polling the same domain until you receive a 200 response with the final result.

Ready to integrate?

The API is available on Growth and Enterprise plans. Start with a 2‑week pilot.