How Unphurl works

Six checks are run on every link, whether it looks safe or not.

This is what Unphurl checks

Known scam sites

If a site has been used to steal from people before, it's on a list. Unphurl checks four of those lists the moment you send a link. Not old data, live.

  • ScamSniffer: 346,000+ known scam and phishing sites
  • MetaMask: 108,000+ sites flagged by the MetaMask security team
  • OpenPhish: actively live phishing sites, updated twice daily
  • URLhaus: sites currently distributing malicious software

Fake brand sites

Scammers build sites that look exactly like ones you trust: same logo, same layout, almost the same address. Unphurl spots the difference, even when your eyes can't.

  • paypa1.com (that's a 1, not an l), metamask-secure.io, uniswap-app.com. Unphurl catches these.
  • Lookalike letters from other alphabets designed to fool you at a glance
  • Suspicious website endings (.xyz, .io, .app) on sites pretending to be well-known brands
  • Links using a raw number address instead of a real domain name
  • Links where the real address is scrambled to hide where they're going

How new the domain is

Freshly registered domains are a red flag. Most scam sites go live within hours of an attack. Unphurl checks when the domain was registered.

  • When the domain was registered. Many scam sites are under 7 days old.
  • When it expires. Sites expiring in days are often abandoned right after an attack.
  • Whether it's a placeholder page pretending to be a real site.

Where it's hosted

Some hosting companies exist specifically to keep scam sites online and ignore complaints. Unphurl checks whether the site is running on one of them.

  • Whether the hosting company is on a known list of providers that ignore abuse reports
  • Whether the server address has been flagged for previous scam activity

Where the link actually goes

Some links don't take you where they say they will. Tap one link, get passed through two or three others, end up somewhere completely different. Unphurl follows every step until it finds where you'd actually land.

  • Follows the link through up to 10 steps to find the real destination
  • Checks that each step along the way is legitimate, not just the first one
  • Catches links that use hidden techniques to disguise where they're going
  • Flags suspicious destination changes mid-chain (e.g. starts as a .com, ends at a .xyz)

Missing setup

Real websites take time to set up properly. Scam sites are thrown together fast and skip steps. Unphurl checks for those missing steps: things invisible to you but reliable signs something is wrong.

  • Whether the domain has basic email setup. Scam sites usually don't bother.
  • Whether standard security records are in place. Real sites have them. Fresh scam sites almost never do.

Facts, not verdicts

Unphurl tells you what it found: domain registered 3 days ago, found on a known scam list, security certificate doesn't check out. You decide what to do with that.

Unphurl doesn't block anything. It doesn't tell you not to click. It tells you the facts, and you make the call. That's intentional: Unphurl reports what it found, not what you should do, and responsible tools reflect that.

Paste any link into @Unphurl_bot. Unphurl returns a report in seconds. No commands needed to check a link.

Now you know what runs on every check.

Try it on any link. Add @Unphurl_bot to Telegram. Free to start, no credit card.

Add the @Unphurl_bot to Telegram