More than 200,000 websites are using investment scam templates built with the Chinese open source framework Uni-App, Infoblox reports.
A cross-platform development toolkit, Uni-App allows developers to create Vue.js codebases that can be deployed as mobile and desktop applications, or as mobile-optimized websites simultaneously.
Widely used in China and supported by a developer ecosystem, the framework powers thousands of legitimate products, and its maker DCloud does not appear to be involved in its fraudulent use.
However, Infoblox discovered that threat actors are selling investment scam templates, and that numerous scam websites using such templates appear linked to the same cluster of activity.
“Beyond the technical connections, we also uncovered patterns in the growth of the DCloud investment sites, along with coordinated dips in new domain registrations seen across scam websites on diverse hosts, an indication of a centralized owner facing disruption or making coordinated changes across all their DCloud investment scam sites,” the cybersecurity firm notes.
Infoblox identified over 236,000 second-level domains powering the scam infrastructure, ranging from fake crypto exchanges to fake gambling, brand impersonation, WhatsApp phishing, and multi-language pig-butchering websites.
Among them is the infamous RainbowEx platform, a fake cryptocurrency platform that made international headlines after thousands of residents of a small Argentine town were duped into pouring money into it.
Hosted across numerous providers, the scam second-level domains have been launched since mid-2022, with an increase observed since late 2024, after the RainbowEx scandal.
“After October 2024, that figure jumped to roughly 15,000 newly observed sites per month at peak. The framework appears to have become a known platform within the scam-operator ecosystem due to the coverage it received by major news outlets,” Infoblox notes.
The largest portion of DCloud-fingerprinted sites consists of investment scam domains, run by multiple unrelated operators, “possibly dozens, even hundreds,” the cybersecurity firm says.
In addition to fake cryptocurrency exchanges and ‘deposit-and-trade’ platforms, they also include crypto wallet drainers, prediction-market and gambling impersonators, messaging platform phishing, and other phishing and credential-harvesting sites.
Lightning Shared Scooter Co. (LSSC), an operation that likely caused millions of dollars in losses in the US, was also using Uni-App. It promised investors sharp increases in passive revenue through funding a high-tech scooter-sharing company, and increased its sense of legitimacy through physical storefronts.
A similar scooter-investment operation, Yuechi Sharing Technology Ltd. (YST), currently active in Australia, New Zealand, and the United States, also has a frontend built using the Uni-App framework. YST, Infoblox says, has legitimate registration paperwork but is connected to a network of other investment-scam websites.
“For the last two years, there’s been a dramatic scaling up of scam websites using the DCloud framework, and operators of these sites continue to launch complex real-world schemes to trick victims. It’s overdue to holistically track threat actors operating in this ecosystem and attempt to identify commonalities that indicate shared ownership of the sites,” Infoblox notes.
Related: In Other News: Palo Alto Recruiter Scam, Anti-Deepfake Chip, Google Sets 2029 Quantum Deadline
Related: Google, Meta, Microsoft Among Signatories of Pact to Combat Scams
Related: Meta Launches New Protection Tools as It Helps Disrupt Scam Centers
Related: Researchers Expose Network of 150 Cloned Law Firm Websites in AI-Powered Scam Campaign
