Posted in

Infoblox Discovers Over 236,000 Scam Websites Built Using DCloud Uni-App Templates

Cybersecurity researchers at Infoblox have uncovered a massive network of more than 236,000 fraudulent websites built using templates based on DCloud Uni-App, a legitimate Chinese open-source cross-platform application development framework.

According to the company’s latest threat intelligence report, cybercriminals have been abusing the framework for the past two years to rapidly create convincing scam websites that support a wide range of online fraud schemes.

Researchers identified 236,493 unique second-level domains linked to these operations, making it one of the largest scam infrastructures observed to date.

DCloud Framework Powers Large-Scale Scam Operations

While DCloud Uni-App is a legitimate development platform widely used for building cross-platform applications, attackers have repurposed it to create reusable scam templates that can be deployed with minimal effort.

Infoblox believes unknown threat actors are actively selling these templates to cybercriminals. However, investigators also found evidence suggesting that many of the scam websites may share centralized ownership or infrastructure.

Researchers observed synchronized drops in new domain registrations across multiple hosting providers, indicating either coordinated operational changes or disruptions affecting a central operator.

Additional similarities include shared technical fingerprints, identical victim communication methods, and common hosting infrastructure.

Fake Crypto Exchanges and Investment Platforms

One of the most notable operations linked to the infrastructure is RainbowEx, a fake cryptocurrency exchange that operated as a Ponzi scheme in San Pedro, Argentina.

The fraudulent platform reportedly defrauded tens of thousands of victims before authorities arrested seven individuals connected to the operation in late 2024.

Although using the DCloud framework alone is not evidence of malicious activity, Infoblox found recurring characteristics among the scam websites, including:

  • Fake cryptocurrency trading platforms
  • Fraudulent brokerage dashboards
  • Crypto wallet drainer pages
  • Online gambling scams
  • Brand impersonation websites
  • Bulletproof hosting infrastructure

Scams Target Victims Worldwide

The researchers found that the malicious domains span every continent and target users in at least eight different languages.

The campaigns imitate well-known organizations ranging from cryptocurrency exchanges and financial institutions to retail companies and messaging platforms.

Infoblox believes the investment scam ecosystem has been operating continuously since mid-2022.

The researchers identified two primary groups of DCloud-based websites:

1. Standard DCloud Websites

These websites retain the default DCloud Uni-App signatures and include both legitimate Chinese businesses and malicious operations dating back to 2021.

2. Investment Scam Infrastructure

This second category consists of more sophisticated scam websites specifically designed for financial fraud.

Many operators remove the default DCloud fingerprints, making these sites significantly harder for security researchers to identify using traditional detection methods.

Multiple Fraud Campaigns Identified

The scam infrastructure supports several different criminal operations, including:

Fake Cryptocurrency Exchanges

Victims are encouraged to deposit funds into bogus cryptocurrency trading platforms that display fabricated profits. When users attempt to withdraw their money, access is blocked.

Cryptocurrency Wallet Drainers

Some websites impersonate blockchain verification processes, convincing users to connect cryptocurrency wallets before stealing digital assets.

Fake Gambling and Prediction Markets

Researchers discovered fraudulent casinos, lottery platforms, and prediction market websites designed to collect deposits while ensuring players never receive legitimate payouts.

WhatsApp Phishing Campaigns

Several domains imitate WhatsApp’s Security Help Center using lookalike domain names to steal user credentials.

Generic Credential Harvesting

Many sites simply present fake login or registration portals intended to collect usernames, passwords, phone numbers, and verification codes.

Investment Scams Continue to Expand

Infoblox also linked the infrastructure to investment-themed fraud operations targeting users in the United States, Australia, and New Zealand.

One campaign operates under the name Yuechi Sharing Technology Ltd., promoting a fake scooter-sharing investment opportunity.

Like many pyramid-style investment scams, new users cannot register without first entering an invitation code supplied by an existing participant.

Researchers say this recruitment model encourages victims to become recruiters, expanding the scam by convincing friends, family members, and colleagues to invest.

The websites also include customer support systems that redirect victims to off-platform chat services to address issues such as blocked withdrawals or failed deposits, helping maintain the illusion of legitimacy.

Legitimate Cloud Services Used Alongside Bulletproof Hosting

Infoblox found that most of the identified domains are hosted by legitimate cloud providers, including:

  • Cloudflare
  • Alibaba Cloud
  • Tencent Cloud
  • Amazon Web Services (AWS)

However, approximately 6% of the scam websites rely on bulletproof hosting (BPH) providers such as CTG Server Limited, a hosting provider previously associated with malicious cyber activity.

Interestingly, researchers found that the more sophisticated operators who removed DCloud fingerprints were also twice as likely to use bulletproof hosting, making their operations significantly more resistant to takedown efforts.

Less experienced criminals typically deploy the templates without modification and rely on mainstream hosting providers, making their websites easier for researchers to detect and remove.

Final Thoughts

The findings demonstrate how legitimate software development frameworks can be repurposed to fuel large-scale cybercrime. By combining reusable templates with trusted cloud infrastructure and increasingly sophisticated hosting strategies, attackers have created an ecosystem capable of supporting hundreds of thousands of fraudulent websites worldwide.

Organizations and individual users should remain cautious when interacting with online investment platforms, cryptocurrency exchanges, or unfamiliar financial services. Verifying website authenticity before sharing personal information or transferring funds remains one of the most effective defenses against these evolving scams.

Leave a Reply

Your email address will not be published. Required fields are marked *