Infoblox has uncovered a large scale cybercriminal operation involving more than 236,000 websites built using templates based on DCloud Uni App, a legitimate Chinese open source cross platform application development framework. According to the company’s latest threat intelligence report, cybercriminals have increasingly adopted the framework to create fraudulent cryptocurrency exchanges, multilingual investment scams, pig butchering operations, WhatsApp phishing pages, fake gambling platforms, crypto wallet drainers, and websites that impersonate well known brands. Infoblox identified a total of 236,493 distinct second level domains linked to these activities and stated that the number of fraudulent websites built using the framework has grown significantly over the past two years. While DCloud Uni App itself is a legitimate development platform and its use does not automatically indicate malicious intent, researchers found that attackers have repeatedly leveraged its capabilities to rapidly deploy convincing scam websites aimed at stealing money, credentials, and cryptocurrency assets from victims across multiple regions and languages.
According to Infoblox, evidence suggests that unknown threat actors are selling ready made DCloud investment scam templates to cybercriminals, although technical indicators also point to centralized ownership across a significant portion of the fraudulent infrastructure. Researchers based this assessment on noticeable declines in new domain registrations across multiple hosting providers, indicating that a central operator may have experienced disruption or coordinated changes affecting numerous scam websites simultaneously. Additional technical similarities, communication methods used to interact with victims, and shared hosting decisions further support this theory. Among the domains identified was RainbowEx, a fraudulent cryptocurrency exchange that gained international attention in late 2024 after operating a Ponzi scheme affecting tens of thousands of residents in San Pedro, Argentina. Later that year, seven individuals connected to the operation were sacked by law enforcement authorities. Infoblox also noted that the fraudulent domains span every continent, target speakers of at least eight different languages, and imitate organizations ranging from major cryptocurrency exchanges and stock trading platforms to retail brands and messaging services. Researchers traced these activities back to mid 2022 and identified two related groups of DCloud based websites. One group includes both legitimate Chinese businesses and malicious operations using the framework since 2021, while the second consists of investment scam websites that have been active since mid 2022. The report added that more advanced operators have removed the default DCloud framework signatures from their websites to avoid detection, making the overall number of scam sites even larger than fingerprint based analysis initially suggested.
Infoblox found that the investment scam ecosystem includes multiple unrelated operators running different types of fraudulent campaigns using the same framework. These include fake cryptocurrency exchanges that encourage victims to deposit digital assets while displaying fabricated trading activity until withdrawal requests are made, cryptocurrency wallet drainers that imitate verification processes for platforms such as BNB Chain and Tether, fraudulent prediction markets modeled after legitimate services, fake online casinos and lottery platforms, WhatsApp phishing websites disguised as official security support centers, and generic credential harvesting portals designed to collect usernames and passwords. Researchers also highlighted two publicly known operations in the United States that followed similar tactics. One involved the LSSC scooter sharing investment scam, which expanded into a major federal and state fraud investigation, while another currently promotes a bicycle sharing investment scheme operating under a United Kingdom registered corporate identity supported by a legitimate United States federal money services license. One of the Uni App based investment platforms operates under the Yuechi Sharing Technology Ltd brand and primarily targets victims in Australia, New Zealand, and the United States. Its registration process requires users to enter a phone number, SMS verification code, and an invitation code supplied by an existing affiliate, a recruitment model that researchers said is commonly used in pyramid style investment scams to encourage victims to recruit additional participants.
The report also examined the infrastructure supporting these operations and found that most DCloud based investment scam domains are hosted on legitimate cloud providers including Cloudflare, Alibaba Cloud, Tencent Cloud, and Amazon Web Services. At the same time, approximately six percent of the visible scam domains rely on bulletproof hosting providers such as CTG Server Limited, which has previously been associated with malicious cyber activity. Infoblox observed that operators who intentionally removed DCloud framework fingerprints were nearly twice as likely to use bulletproof hosting services compared to those deploying default templates without modification. According to the researchers, this pattern indicates that more sophisticated cybercriminals not only take additional steps to evade security detection but also choose infrastructure providers that are less responsive to takedown requests. Conversely, operators using unmodified templates generally rely on mainstream hosting providers, making their fraudulent websites easier for security researchers to identify and remove. The findings demonstrate how legitimate software development frameworks can be repurposed to support complex cybercrime operations while highlighting the need for continued threat intelligence efforts to detect evolving phishing campaigns, cryptocurrency fraud, and large scale online scams.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
