Recent research has uncovered that more than 236,000 websites have been constructed using DCloud Uni-App, a legitimate Chinese open-source framework, to facilitate a variety of fraudulent activities. These include fake cryptocurrency exchanges, phishing schemes, and crypto wallet drainers.
Infoblox, a DNS threat intelligence company, identified 236,493 unique second-level domains employing DCloud Uni-App templates for these scams. The fraudulent sites encompass a range of deceptive operations, such as bogus investment platforms, multi-language pig-butchering schemes, WhatsApp phishing networks, counterfeit gambling sites, and brand-impersonation storefronts.
Over the past two years, there has been a significant increase in scam websites utilizing the DCloud framework. Operators of these sites continue to develop complex schemes to deceive victims. Evidence suggests that unknown threat actors are distributing DCloud investment scam templates. Additionally, patterns indicate centralized control over a substantial portion of these fraudulent websites. This is inferred from observed declines in new domain registrations across various hosts, hinting at potential disruptions or coordinated changes by a central entity. Other indicators include specific technical signatures, victim communication methods, and hosting choices.
One notable example is the RainbowEx platform, a fraudulent cryptocurrency exchange that operated a Ponzi scheme affecting tens of thousands in San Pedro, Argentina, in late 2024. Seven individuals associated with this operation were subsequently arrested.
While the use of DCloud Uni-App is not inherently malicious, common characteristics among these scam sites include fake brokerage interfaces, prompts designed to drain cryptocurrency wallets, gambling interfaces with rigged outcomes, brand-impersonation storefronts, and the use of bulletproof hosting services. These rogue domains span every continent, target speakers of at least eight languages, and impersonate brands ranging from major stock exchanges to retail giants and messaging platforms. The fraudulent activities have been ongoing since mid-2022.
Infoblox’s analysis reveals two distinct groups among the DCloud-fingerprinted sites: those with basic DCloud Uni-App signatures dating back to 2021, which include both legitimate Chinese businesses and malicious operations, and an investment scam-specific subset active since mid-2022. Interestingly, the investment scam subset is larger than what the basic DCloud framework fingerprint alone reveals, as more sophisticated operators have removed default DCloud identifiers to evade detection.
The second group of DCloud scam websites is operated by multiple unrelated entities and encompasses a variety of fraudulent schemes:
- Fake cryptocurrency exchanges and deposit-and-trade platforms that impersonate well-known exchanges, tricking users into making investments and displaying fictitious trading activity until victims attempt to withdraw funds.
- Cryptocurrency wallet drainers that lure users into connecting their wallets by masquerading as BNB Chain or Tether verification processes.
- Prediction-market and gambling impersonations that mimic Polymarket-style prediction markets or fake casinos and lottery platforms.
- WhatsApp and messaging platform phishing schemes that aim to extract credentials by impersonating WhatsApp’s Security Help Center using lookalike domains.
- Generic template phishing and credential collection featuring simple login and registration pages.
In the United States, similar tactics have been observed in publicly known operations, such as the LSSC scooter-sharing investment scam, which escalated into a major federal and state fraud investigation last year, and a bicycle-sharing investment-themed scam currently active under a UK-registered corporate front with a genuine US federal money-services license.
The scooter investment scam, built using the Uni-App framework, operates under the Yuechi Sharing Technology Ltd. brand and primarily targets Australia, New Zealand, and the US. Yuechi’s front-end features a login or registration form requiring users to enter their phone number, SMS verification code, and an invitation code shared by an existing affiliate of the pyramid scheme. This invitation code requirement aligns with the operators’ strategy to convert each victim into a recruiter who will then try to recruit their own friends, family, and co-workers to bring in more investments and build out the pyramid.
The site also includes a customer service component that redirects victims to an off-platform branded chat to handle issues like registration errors, withdrawal blocks, and deposit holds.
Infoblox’s analysis of the DCloud-built investment scam infrastructure reveals that most of the domains are hosted on legitimate providers such as Cloudflare, Alibaba Cloud, Tencent Cloud, and Amazon Web Services. About 6% of visible DCloud-built investment scam domains leverage bulletproof hosting providers like CTG Server Limited, previously flagged for malicious cyber activity.
Operators sophisticated enough to recognize and strip framework fingerprints are also likely to seek out infrastructure providers that resist takedown requests. Conversely, less sophisticated operators who deploy templates as-is are more likely to use mainstream hosting, making them easier to identify and remove.
The exploitation of DCloud Uni-App for such widespread fraudulent activities underscores the need for heightened vigilance among internet users and stricter oversight by hosting providers. As cybercriminals continue to adapt and leverage legitimate platforms for malicious purposes, it is crucial for both individuals and organizations to stay informed and implement robust security measures to protect against these evolving threats.
