The URL shortener that makes your links look as suspicious as possible
creepylink.com

777 points

dreadsword

a day ago

151 comments

postalcoder a day ago

There may actually be some utility here. LLM agents refuse to traverse the links. Tested with gemini-3-pro, gpt-5.2, and opus 4.5.

edit: gpt-oss 20B & 120B both eagerly visit it.

  • devsda a day ago

    I wish this came a day earlier.

    There is a current "show your personal site" post on top of HN [1] with 1500+ comments. I wonder how many of those sites are or will be hammered by AI bots in the next few days to steal/scrape content.

    If this can be used as a temporary guard against AI bots, that would have been a good opportunity to test it out.

    1. https://news.ycombinator.com/item?id=46618714

    • aflukasz a day ago

      AI bots (or clients claiming to be one) appear quite fast on new sites, at least that's what I saw recently in few places. They probably monitor Certificate Transparency logs - you won't hide by avoiding linking. Unless you are ok with staying in the shadow of naked http.

      • KetoManx64 20 hours ago
        7 more

        Get a wildcard cert and use it behind a reverse proxy.

        • RIMR 20 hours ago
          6 more

          Okay, but then what? Host your sites on something other than 'www' or '*', exclude them from search engines, and never link to them? Then, the few people who do resolve these subdomains, you just gotta hope they don't do it using a DNS server owned by a company with an AI product (like Google, Microsoft, or Amazon)?

          I really don't know how you're supposed to shield your content from AI without also shielding it from humanity.

          • throwaway81523 18 hours ago
            5 more

            Don't have any index pages or heavy cross-linking between pages.

            • petcat 17 hours ago
              4 more

              None of that matters. AI bots can still figure out how to navigate the website.

              • kemotep 14 hours ago

                The biggest problem I have seen with AI scrapping is that they blindly try every possible combination of URLs once they find your site and blast it 100 times per second for each page they can find.

                They don’t respect robots.txt, they don’t care about your sitemap, they don’t bother caching, just mindlessly churning away effectively a DDOS.

                Google at least played nice.

                And so that is why things like anubis exist, why people flock to cloudflare and all the other tried and true methods to block bots.

              • throwaway81523 8 hours ago

                I don't see how that is possible. The web site is a disconnected graph with a lot of components. If they get hold of a url, maybe that gets them to a few other pages, but not all of them. Most of the pages on my personal site are .txt files with no outbound links, for that matter. Nothing to navigate.

              • dylan604 13 hours ago

                how? if you don't have a default page and index listings are disabled, how can they derive page names?

    • xlii a day ago

      I posted my site on the thread.

      My site is hosted on Cloudflare and I trust its protection way more than flavor of the month method. This probably won't be patched anytime soon but I'd rather have some people click my link and not just avoid it along with AI because it looks fishy :)

      • treebeard901 a day ago

        I've been considering how feasible it would be to build a modern form of the denial of service low orbit ion cannon by having various LLMs hammer sites until they break. I'm sure anything important already has Cloudflare style DDOS mitigation so maybe it's not as effective. Still, I think it's only a matter of time before someone figures it out.

        There have been several amplification attacks using various protocols for DDOS too...

      • devsda a day ago
        3 more

        Yeah I meant using it as an experiment to test with two different links(or domains) and not as a solution to evade bot traffic.

        Still, I think it would be interesting to know if anybody noticed a visible spike in bot traffic(especially AI) after sharing their site info in that thread.

        • bookofjoe 20 hours ago
          2 more

          I didn't: no traffic before sharing, none since.

      • pawelduda 20 hours ago

        FYI Cloudflare protection doesn't mean much nowadays if someone is slightly determined to scrape the site

        Unless you mean DDoS protection, this one helps for sure

    • testfrequency a day ago

      Glad I’m not the only one who felt icky seeing that post.

      I agree my tinfoil hat signal told me this was the perfect way to ask people for bespoke, hand crafted content - which of course AI will love to slurp up to keep feeding the bear.

      • Dilettante_ 17 hours ago
        2 more

        Not producing or publishing creative works out of fear that someone will find them and build on top of them is such a strange position to me, especially on a site that has it's cultural basis in hacker culture.

        • ronsor 16 hours ago

          AI has driven a lot of people mad and not just its end users.

    • kzalesak a day ago

      I think that something specifically intended for this, like Anubis, is a much better option.

      • subscribed a day ago
        3 more

        Anubis flatly refuses me access to several websites when I'm accessing them with a normal Chromium with enabled JS and whatnot, from a mainstream, typical OS, just with aggressive anti-tracking settings.

        Not sure if that's the intended use case. At least Cloudflare politely masks for CAPTCHA.

        • fc417fc802 21 hours ago

          What do you mean "refuses"? The worst it should do is serve up a high difficulty proof of work. Unless it gained new capabilities recently?

          Are you sure the block isn't due to the authors of those websites using some other tool in addition?

        • john01dav a day ago

          I thought that Anubis solely is proof of work, so I'm very curious as to what's going on here.

    • jnrk a day ago

      Of course, the downside is that people might not even see your site at all because they’re afraid to click on that suspicious link.

      • postalcoder a day ago
        2 more

        Site should add a reverse lookup. Provide the poison and antidote.

        • gala8y a day ago

          Bitly does that, just add '+' to Bitly URL (probably other shorteners, too).

    • briandear a day ago

      How is AI viewing content any different from Google? I don’t even use Google anymore because it’s so filled with SEO trash as to be useless for many things.

      • Zambyte a day ago

        Try hosting a cgit server on a 1u server in your bedroom and you'll see why.

  • PUSH_AX a day ago

    LLM led scraping might not as it requires an LLM to make a choice to kick it off, but crawling for the purpose of training data is unlikely to be affected.

  • Barathkanna a day ago

    Sounds like a useful signal for people building custom agents or models. Being able to control whether automated systems follow a link via metadata is an interesting lever, especially given how inconsistent current model heuristics are.

  • evilmonkey19 14 hours ago

    I can confirm Mistral refuse to traverse the links

tcgv 17 hours ago

Hole in one!

I shortened a link and when trying to access it in Chrome I get a red screen with this message:

  Dangerous site
  Attackers on the site you tried visiting might trick you into installing software or revealing things like your passwords, phone, or credit card numbers. Chrome strongly recommends going back to safety.
gnabgib a day ago

Related: A URL shortener not shortening the URL but makes it look very dodgy (434 points, 2023, 100 comments) https://news.ycombinator.com/item?id=34609461

  • vedmakk a day ago

    That's less a URL shortener and more a URL dodgifier.

    • tylervigen a day ago

      To be fair, the one in the OP also did not shorten any of the links I gave it.

  • Bengalilol a day ago

    The key point here is "not shortening"

arjvik a day ago

My favorite link of all time:

https://jpmorgan.c1ic.link/logger_zcGFC2_bank_xss.docm

Definitely not meta

  • deltarholamda 21 hours ago

    I got one where the called script ended in ".pl" and I had a flashback to the 90s. My trousers grew into JNCOs, Limp Bizkit started playing out of nowhere and I got a massive urge to tell Slashdot that Alan Thicke had died.

  • cuechan a day ago

    With Firefox on Android it simply says

    Deceptive site issue

    This web page at [...] has been reported as a deceptive site and has been blocked based on your security preferences.

    What's going on? I can't find any setting to disable this.

    • bmitch3020 13 hours ago

      I was able to get past that (Firefox on the Desktop) by clicking the "see details" button and then clicking the "ignore the risk" link. It took me a while to actually read the text too.

  • fuddle a day ago

    Imagine using this as your personal website lol

latexr a day ago

I think it’s perfectly reasonable to make something useless for fun, it’s an interesting idea.

But what I’d like to understand is why there are so many of the same thing. I know I’ve seen this exact idea multiple times on HN. It’s funny the first time, but once it’s done once and the novelty is gone (which is almost immediately), what’s the point of another and another and another?

  • amne a day ago

    I think it's just someone learning something new most of the time.

    I have home made url shorteners in go, rust, java, python, php, elixir, typescript, etc. why? because I'm trying the language and this kind of project touches on many things: web, databases, custom logic, how and what design patterns can I apply using as much of the language as I can to build the thing.

    • latexr 21 hours ago

      Right. But the question is why redo the exact same joke? Why not come up with another twist (like the URL lengthener) or do no twist but be useful?

      I’m not criticising the author or anyone who came before. I’m trying to understand the impetus between redoing a joke that isn’t yours. You don’t learn anything new by redoing the exact same gag that you wouldn’t learn by being even slightly original or making the project truly useful.

      Ideas are a dime a dozen. You could make e.g. a Fonzie URL shortener (different lengths of “ayyyyy”), or an interstellar one (each is the name of a space object), or a binary one (all ones and zeroes)… Each of those would take about the same effort and teach you the same, but they’re also different enough they would make some people remember them, maybe even look at the author and their other projects, instead of just “oh, another one of these, close”.

      • stronglikedan 21 hours ago
        2 more

        If you're learning, it's better to recreate something exactly as it is, so that you have something against which to verify your output. Plus, not everyone is an idea person, and I'd wager that most devs are implementation people, not idea people.

        • latexr 20 hours ago

          I’d argue that if you’re learning and are so inexperienced you need to recreate something exactly, you should instead recreate something real and useful—of which there are more examples—than one joke.

          Plus, I don’t think I’ve seen another of these which is exactly like this (just extremely close in concept), so the argument doesn’t hold.

      • zulban 16 hours ago

        If you don't need to design a new product, you can focus on execution.

        You may want to learn about design and novelty. Some people just want to learn about execution.

      • postalcoder 21 hours ago
        2 more

        A joke isn’t the best example because there are jokes that never changes but the delivery is a sign of mastery. The Aristocrats is like Bach’s cello suite for comedians.

        • latexr 21 hours ago

          The Aristocrats is a special case where the setup is the joke instead of the punchline. The point is the inventiveness of the journey. If it was told with the same setup every time, it wouldn’t be funny.

      • BubbleRings 14 hours ago

        Hold on, registering www.0111001000101010.com before somebody else gets it...

  • meken 21 hours ago

    I’ve been browsing this site for a decade plus and this idea was new to me. Maybe the author is in the same boat.

    Edit: I see referencnes to shadyurl in the comments and I have heard of that, but probably wouldn’t have thought of it.

    • latexr 21 hours ago

      Fair. I’d think they would look for prior work beforehand, but that’s perfectly valid.

      https://xkcd.com/1053/

      Again, this was not a criticism, but a genuine question.

      • meken 18 hours ago

        I can’t speak for the author, but this strikes me as the kind of thing you might not want to check prior work on. It just seems like a fun little project and sometimes seeing that other people have done it can be a bit demotivating.

  • victords a day ago

    A fun project doesn't need to be original, IMO.

    URL Shortener is still one of the most popular System Design questions, building this project is a great way to have some experience / understanding of it, for example.

    • latexr 21 hours ago

      > A fun project doesn't need to be original, IMO.

      I agree. But a URL shortener with a twist isn’t just fun, it’s funny. The joke—as opposed to the usefulness—is what’s interesting about it. But when the same joke is overdone, it’s no longer funny.

      > building this project is a great way to have some experience / understanding of it

      https://news.ycombinator.com/item?id=46632329

  • abustamam 20 hours ago

    I actually forgot that this had been done before until you mentioned it.

    Giving the author the benefit of the doubt, they may have not seen it before, or was bored and just wanted to make a toy.

    And it seems like many in HN are in enough a similar boat to me to have up voted it to trending, so at least some people found it entertaining, so it fulfilled its purpose I suppose.

    It's a good question though, and I don't think anyone really knows the answer.

  • asynchronous13 18 hours ago

    The author posted this project on reddit a few days ago where they mentioned their motivation: "I have a coworker who is constantly talking about the glory days of ShadyUrl, but that website has been down for several years at this point, so I figured I would create an alternative."

  • cubefox 21 hours ago

    One reason is that not all these websites manage to make equally "creepy" links, even though the basic idea is the same. I remember one version which was a lot more alarming than the current example, with links containing a mix of suspicious content hinting at viruses, phishing, piracy/warez sites, pornography (XXX cams), and Bitcoin scams. I don't remember that website, but the current case seems rather weak by comparison.

    • latexr 20 hours ago

      That makes it even more confusing. If you’re making something creepy, I can see the argument for “whatever exists isn’t creepy enough, I’ll do it better” but not the reverse.

      • cubefox 19 hours ago

        It's possible the current website is older, or that the creator doesn't know about better alternatives. (Also, they do produce rather short links, unlike some of the others, which don't pass as "URL shorteners". Though not sure whether that's relevant.)

qnleigh a day ago

What's up with the creepy ads on this website? It seems like they are actually sketchy ads and not just fake ads for comedic effect. One shows some scammy nonsense about your device being infected and the other links to a real VPN app.

  • HPsquared a day ago

    That's just the ambient creepiness of the internet. It's a creepy place!

  • wmeredith 21 hours ago

    This is probably the result of a context based ad network serving sketchy adds because of the suspicious url content.

bityard a day ago

IIRC, shadyurl was the original version of this. Doesn't seem to be around anymore, though.

  • nomel a day ago

    shadyurl a whole bunch of different incredibly shady domains that were used at random. it was beautiful.

codemogul 20 hours ago

BRILLIANT! Even Chrome says nope/DANGEROUS to a creepified link to mail.google.com

zX41ZdbW a day ago

I would also like to have something like this, but for "vintage" links - something that looks like it was from the late 90s.

I use them in tests, just for fun: https://github.com/ClickHouse/ClickHouse/blob/master/tests/q...

vhurg a day ago

Please don’t use 3rd party relays for your URLs. It’s bad enough to have your own server, domain, etc. as single points of failure and bottlenecks without adding a 3rd party into the mix, who either themselves or someone that takes over their domain later track users, randomly redirect your users to a malicious site, or just fail.

I know people have fond memories of long ago when they thought surely some big company’s URL shortener would never be taken down and learned from that when it later was.

  • SilasX 20 hours ago

    This! I've run into very frustrating examples of legit sites doing that, for no defensible reason at all.

    For example, the healthcare.gov emails. For links to that domain, they would still transform them with lnks.gd, even though:

    1) The emails would be very long and flashy, so they're clearly not economizing on space.

    2) The "shortened" URL was usually longer!

    3) That domain doesn't let you go straight to the root and check where the transformed URL is going.

    It's training users to do the very things that expose them to scammers!

dreadsword a day ago

Saw this on relaunched Digg and figured HN would appreciate it.

  • qweiopqweiop a day ago

    Now that's a name I've not heard in a long time

  • koakuma-chan a day ago

    I don't appreciate how AI generated this website looks.

    • nimih a day ago

      It seems appropriate that, for a website whose purpose is to make links which raise your suspicions, the visual design itself also raises your suspicions.

    • olyjohn a day ago

      Just looks like every other generic framework oriented site.

    • 4k93n2 a day ago

      which bit are you getting an AI smell from?

      • koakuma-chan a day ago
        3 more

        gradient background, card, button

        • anomaly_ a day ago

          Have you looked at a website in the last 10 years?

        • Alupis a day ago

          Perhaps, but nearly every tutorial in all the modern frameworks demonstrate this exact style.

  • bundie a day ago

    Digg is back?

    Edit: looks like you need an invite code.

    Bummer

phoe-krk a day ago

I wouldn't call it a shortener, since most of the links it creates are longer than the originals.

What would be a good name here? A URL redirector?

juliangmp a day ago

This is legit! If you disable your adblock you even get a suspicious ad

autoexec 14 hours ago

Every URL shortener is suspicious.

While this seems like it would make it harder for them I wouldn't be surprised if scammers eventually try to abuse this service too and I have no doubt that people would happily click these if they found in them in a phishing email, that said I give the folks behind this a lot of credit for having a way to contact them and report links if that happens.

zefhous 16 hours ago

My city utility provider used secured-server.biz for billing for a long time. I always thought it was hilarious and very suspicious looking.

Avamander 20 hours ago

It would've been top-notch if it actually sometimes just used Outlook/O365 or similar vendor's "safelinks" redirector that they use.

dieggsy a day ago

This is fun. Is it not checking for previously submitted URLs though? I can seemingly re-submit the exact same URL and get a new link every time. I would expect this to fill the database unnecessarily but I have no idea how the backend works.

  • saghm a day ago

    Am I missing something, or would these essentially be implemented via DNS records? It's not clear to me that keeping the links in a database would be necessary at all (unless the DNS records are what you mean by "database")

    • janwillemb a day ago

      DNS is only for resolving the host part. The path is not passing through a dns query.

      In example.com/blah, the /blah part is interpreted by the host itself.

      And apart from that I would indeed consider DNS records a database.

falsedev 18 hours ago

I can't tell if the website works as advertised because I don't want to open the generated links

bsza a day ago

Yeah but have fun explaining yourself to the police when the author abandons the project and an actual scammer ends up buying up all those domains.

danielpetrica 17 hours ago

As someone who built a standard shortener (coz.jp), this is hilarious. I spent so much time trying to make links look trustworthy; doing the exact opposite is a surprisingly fun concept.

TomMasz 21 hours ago

This is great. It created a link to my personal site that Firefox blocked me from going to.

lzap a day ago

I like how old-school HN comment section does not care about creepy links at all. Or link for that matter.

victorevogor a day ago

Just wondering. so you bought c1ic.link and web-safe.link. That's very cool

CupricTea 20 hours ago

The other day in a Facebook Messenger group chat I tried to link to https://motherfuckingwebsite.com/ as a joke, but Messenger kept blocking it. It's quite overzealous with its blocking.

zakki a day ago

Is this suspicious: https://microsoft.c1ic.link/0B7jqd_invoice.vbs ?

  • jimnotgym a day ago

    I think Microsoft have their own version of this

    Msn.com Office.com Sharepoint.com Hotmail.com Etc, plus all the subdomains they insert before them. It makes it very easy to create phishing emails that look plausible.

    • Zambyte a day ago

      microsoftonline.com is one of my favorites. Like how can you look any more scammy :D

snehalbaghel 4 hours ago

Imagine someone compromises apps like these and replaces the creepy looking links to actually dangerous links

fancychancy a day ago

Haha, it's fun. Just thinking, is there some place where creepy links would be better ?

  • AnotherGoodName a day ago

    I've been at a company that internally sends out fake links that log the user and links to an educational page on internet safety.

    I honestly don't mind too much since it's a once a year thing (hacktober) and honestly companies should be trying to catch out employees who click any and all links.

    • trollbridge a day ago

      We used to have fun hammering millions of requests to such URLs from a VPS when they would send such emails to role mailboxes.

      Eventually we got asked to please make it stop. I asked them to please stop sending fake phishing emails to robots.

dizhn a day ago

Firefox is freaking out on some of these. It's hilarious.

FuturisticLover a day ago

I am sharing content using these creepy links to send to office people.

abhinai a day ago

Please take my upvote. :)

lzzzam a day ago

I can just say thanks

virajk_31 a day ago

why do creepy links look creepy?...

thimkerbell 17 hours ago

Add this to "HN for psychopaths" please.

neuroelectron a day ago

/instagram.c1ic.link/mCLIIp_free_vacation_offer.zip

awesome_dude a day ago

For humour I shortened "https://www.facebook.com/"

And got https://twitter.web-safe.link/root_4h3ku0_account_verificati...

  • vanc_cefepime a day ago

    I added google.com and it spit out https://twitterDOTc1icDOTlink/install_Jy7NpK_private_videoDOTzip

    Interesting that it spit out a .zip url. Was not expecting that so I changed all the “.” to “DOT” so I don’t get punished for posting a spammy link despite this literally being a website to make links as spammy and creepy as possible.

    • bmacho a day ago

      punished by whom?

fuddle a day ago

lol, I'm not clicking a .vbs link

CrimsonCape a day ago

It is hilarious and i'm not clicking any link lol.

hnst1 a day ago

[dead]

pabs3 a day ago

Please don't make any more URL shorteners, they are just a bad idea.

https://wiki.archiveteam.org/index.php/URLTeam

  • aussieguy1234 a day ago

    I always end up making my own, they're so simple to write.

    Saves using one of the "free" ones which looks like its free but you're actually on a free trial, then you can't access your links after that trial expires.

  • blenderob a day ago

    Way to miss the point of the project!