Is This Really ChatGPT / Claude / Gemini? Free AI App Safety Check
Fake "ChatGPT for free" / "Claude API cheap" / "Gemini Pro discount" sites are now a high-volume scam category. Reference list of every legitimate AI service domain plus instant URL impersonation check.
Check a URL right now
Paste any AI-service URL into ScanTotal’s URL scanner. We flag impersonation patterns automatically.
Open URL ScannerWhy this scam exists in 2026
The launch of mainstream AI services — ChatGPT in late 2022, Claude in 2023, Gemini in 2024, and the proliferation since — created an entirely new impersonation category. People searching for *"free ChatGPT"*, *"ChatGPT Plus discount"*, *"Claude API key"*, *"Gemini Pro India price"* now find dozens of fake sites in the search results. The fake sites typically do one of three things: harvest credit-card details for non-existent "subscriptions", drop malware disguised as a ChatGPT desktop client, or run cryptocurrency-mining JavaScript while the victim pastes prompts into a fake interface that’s actually a relay to a free LLM API.
The structural giveaway is always the domain. Every legitimate AI service has exactly one canonical domain, listed below. Anything else is impersonation, regardless of how convincing the visual design.
The legitimate AI service domains
These are the only official domains for the major AI services. If a URL claims to be ChatGPT / Claude / Gemini / Copilot / etc. but is not on this list, it is impersonation.
| Service | Operator | Official domain(s) |
|---|---|---|
| ChatGPT | OpenAI | chat.openai.com · chatgpt.com · openai.com · platform.openai.com |
| Claude | Anthropic | claude.ai · anthropic.com · console.anthropic.com |
| Gemini | gemini.google.com · aistudio.google.com | |
| Copilot (chat) | Microsoft | copilot.microsoft.com |
| GitHub Copilot | GitHub / Microsoft | github.com · copilot.github.com |
| Perplexity | Perplexity AI | perplexity.ai |
| Mistral / Le Chat | Mistral AI | mistral.ai · chat.mistral.ai |
| Character.AI | Character Technologies | character.ai |
| Cohere | Cohere | cohere.com |
| Midjourney | Midjourney, Inc. | midjourney.com |
| Stable Diffusion / Stability | Stability AI | stability.ai |
| Runway | RunwayML | runwayml.com |
| Suno (music) | Suno | suno.com |
| ElevenLabs (voice) | ElevenLabs | elevenlabs.io |
| Cursor (code editor) | Cursor | cursor.com · cursor.sh |
Common impersonation patterns
These are NOT legitimate AI services. If you see any URL matching these patterns, do not enter card details, do not download any software, and do not log in.
chatgpt-pro.com/chatgpt-premium.io/chatgpt-plus.tk— ChatGPT brand in SLD on non-OpenAI domainopenai-free.com/openai-india.in/openai-cheap.net— OpenAI brand on third-party domainclaude-api-cheap.com/claude-free.org— Claude brand on non-Anthropic domaingeminiai.org/gemini-pro.app— Gemini brand on non-Google domaincopilot-free.tk/github-copilot-crack.com— Copilot brand on non-Microsoft domainchatgpt.com.payment-portal.net— legitimate domain as a subdomain of attacker-controlled domain- Any URL with a typosquat:
chatgptt.com(double letter),chatpgt.com(transposed letters),chatgpt.co(different TLD), etc.
What the fake sites actually do
Variant 1 — the subscription harvest. Site looks like a ChatGPT or Claude clone but the “Sign up” flow takes you to a payment page asking for card details for a “Plus” or “Pro” tier. The site doesn’t actually deliver any AI service; it just captures the card and charges it. By the time the victim notices the charge or that nothing works, multiple overseas micro-transactions have processed.
Variant 2 — the malware download. Site offers a “desktop client”, “Windows installer”, or “Android APK” for the AI service. Official AI services (ChatGPT, Claude, Gemini, Copilot, Perplexity) ship through Apple App Store / Google Play Store / the Microsoft Store / their own canonical download page, never as a generic .exe or sideloaded APK. The fake download is information-stealer malware (RedLine / Raccoon / Lumma / Vidar — see our info-stealer guide).
Variant 3 — the working-but-stolen relay. The site actually works — you paste a prompt, you get an LLM response. But the LLM responses are coming from someone else’s OpenAI / Anthropic API key (stolen via earlier phishing). Meanwhile the site logs your prompts (including any sensitive content you paste in), runs cryptocurrency-mining JavaScript in your browser, and shows ads for further scams.
Variant 4 — the “ChatGPT for India / Africa / [your country]”. Targets users in regions where the legitimate AI service has either no presence or a perceived premium-pricing problem. The fake offers a “local edition” at lower cost. It is always one of the above three variants underneath.
How ScanTotal detects this
ScanTotal’s URL scanner runs five detection layers: ScanTotal Local database, Google Safe Browsing, ScanTotal Active Analysis (behavioural), ScanTotal Heuristic Engine, and (as of v1.27.0) AI service brand-impersonation detection. The brand-impersonation check looks for AI service names (chatgpt, openai, claude, anthropic, gemini, copilot, perplexity, mistral, midjourney) in the URL’s second-level domain or first subdomain, then verifies whether the resulting host is on the official allowlist. Mismatches add 30 points to the heuristic score with a specific indicator: "Possible AI service impersonation — URL contains [brand] but is not on the official domain".
The check is one signal among five. The combined Threat Assessment determines the overall verdict.
Scan an AI-service URL right now
Paste the URL into ScanTotal’s URL scanner — you’ll get back a verdict with the impersonation check, plus reputation and behavioural analysis.
Open URL ScannerChatGPT is a trademark of OpenAI, Inc. Claude is a trademark of Anthropic PBC. Gemini is a trademark of Google LLC. Copilot is a trademark of Microsoft Corporation. Perplexity is a trademark of Perplexity AI, Inc. Midjourney is a trademark of Midjourney, Inc. Stable Diffusion is a trademark of Stability AI Ltd. ScanTotal is independent and not affiliated with or endorsed by these companies. Their names are used here only to describe scams that impersonate them and to inform users which domains are legitimate.