DEV Community

The Free Tier
The Free Tier

Posted on • Originally published at thefreetier.substack.com

We read 5 \"free credits\" Terms of Service so you don't have to

When an AI credit offer goes viral, two things spawn immediately: threads calling it a scam, and actual scams farming the confusion.

Case study from our own beat. Hyperagent — an AI agent platform currently running a large signup-credit offer — lives at hyperagent.com. There is also a hyperagents.online: plural, different TLD, and a rock-bottom trust score on Scamadviser. Type the name into a search bar with one letter of drift, or click a link in the wrong thread, and you land somewhere that would love your email and card number. Half of every "is this legit?" argument online is two people talking about two different websites.

Here's the 60-second check, in order.

1. Get the canonical domain from the company, not the link (20 sec)

Find the company's official X/LinkedIn/GitHub profile or a news article about them, and note the domain those link to. That's your ground truth. Never establish a domain's legitimacy from the same place you got the link — that's the link vouching for itself.

2. Read the domain out loud, slowly (10 sec)

Lookalikes drift in exactly three ways: pluralization (hyperagent → hyperagents), hyphenation (hyper-agent), and TLD swaps (.com → .online, .site, .app). If the brand is a .com and your link isn't, stop and verify. Subdomain tricks count too: hyperagent.com.claim-bonus.site is not hyperagent.com — the real domain is whatever sits immediately left of the final dot-something.

3. Check where the bonus link actually resolves (15 sec)

Legitimate referral programs run on the company's own domain — a real referral link looks like hyperagent.com/refer/…, not a third-party redirect chain. Paste the link somewhere you can read it before you click it. If a "claim your credits" URL lands anywhere off the canonical domain, close the tab. No real program requires a side door.

4. Run it through a reputation checker — as a signal, not a verdict (10 sec)

Scamadviser, URLVoid, and similar tools aggregate domain age, hosting, and report history. A terrible score on a domain claiming to be a funded company is disqualifying. A good score proves less — new-but-legit domains score mediocre — which is why this is step four and not step one.

5. Let your password manager be the tripwire (5 sec)

If you've signed up on the real site before, your password manager will refuse to autofill on the lookalike — it matches exact domains, and it can't be fooled by fonts, logos, or vibes. When autofill goes silent on a familiar-looking login page, believe the software, not your eyes.

Bonus confusion: name collisions

Not every same-name site is malicious. There's an open-source research project on GitHub also called HyperAgent — an academic coding-agent framework, wholly unrelated to the commercial platform. No one's scamming anyone; you can just burn twenty minutes reading the wrong project's docs. Tool names in AI are colliding constantly (there are at least three products called "Hyper-something-agent"). The canonical-domain check in step 1 resolves these too.

The habit

Bookmark the real domain the first time you verify it, and only ever enter through the bookmark. Sixty seconds once, zero seconds forever.

The fine print of trust is the URL bar. Read it like we read ToS sections: slowly, once, before it costs you anything.

No referral links in this post.

Top comments (0)