If you believe this site contains malicious, phishing, or scam content — you can report it:
You can also report to the domain registrar and hosting provider
The scanner sends 4 HTTP request chains to the target and compares responses. Each chain targets a specific Keitaro behavior documented in official docs:
Each response is analyzed through 7 independent evidence checks. If ≥2 checks pass — Keitaro is confirmed.
Each evidence check is PASS or FAIL. The verdict is determined by the number of passed checks:
Two or more independent evidence checks must pass to confirm Keitaro TDS presence, reducing false positives.
Cloaking (content masking) is a technique where the server delivers different content based on the visitor type. TDS systems like Keitaro use this to show a clean page to search engine bots, moderators, and security scanners, while redirecting real users to a phishing page, scam offer, or malware download.
The scanner requests the same URL using 27 different profiles, divided into three groups:
For each profile, the response is compared against the baseline (standard Chrome request) by checking HTTP status code, response body size, final URL, Content-Type, and number of redirects. If any of these differ — the profile is marked as DIFF.
Requires Cloudflare Worker to function — CORS proxy cannot set custom User-Agent and Referer headers.
The scanner traces the full HTTP redirect chain from the initial request to the final destination and visualizes each hop as a timeline. Each step shows the HTTP status code, domain, and URL path.
External domain detection: if a redirect leads to a domain with a different root (e.g. example.com → scam-site.net), it is flagged with an EXTERNAL badge. External redirects are a common indicator of:
Note: not all external redirects are malicious. Legitimate CDN redirects, login flows, and domain migrations also produce external hops. Always correlate with other evidence.
For each scanned domain, the tool collects background information from public sources:
Only fields with resolved data are displayed. If a lookup fails or returns nothing, the field is omitted.
Extended list of paths and patterns used by professional trackers, cloaks, and TDS systems. Includes classic endpoints and 2026 patterns.
Beyond path analysis, cloaks search for anomalies in DOM and JS environment at these specific points.
2026 systems (Cloudflare Bot Management, JCI) compare User-Agent with Client Hints headers.
New 2026 standard for detecting real browser execution flow.
Cloudflare & DataDome use dynamic link networks visible only to bots.
Cloaks verify that protection functions haven't been overridden.
Patterns used by the scanner (HTMLRewriter / body parser) to identify cloaking and tracking scripts in page source.
Why: CF Workers IPs are easily detected by ASN (Data Center).
Logic: Worker acts as "smart brain" — final request goes through proxy chaining on quality mobile/residential IPs.
Why: Data consistency between UA and Client Hints.
Why: Systems like JCI leave hidden verification artifacts.
Logic: HTMLRewriter removes all scripts containing: fp.js, fingerprint, imklo, check.js
Why: Cloaks compare IP timezone vs browser timezone.