DCloud Uni‑App Sites Used in Crypto Scams

Person in hoodie typing on keyboard with cryptocurrency scam websites open on two monitors and cryptocurrency coins on desk — A hooded figure attempts to access a phishing crypto investment platform on dual monitors.

Overview

Threat intelligence firm Infoblox has uncovered a massive infrastructure of 236,493 scam websites built using the DCloud Uni‑App framework, a legitimate Chinese cross‑platform development tool. These sites power investment scams, phishing campaigns, fake exchanges, gambling platforms, and crypto wallet drainers, highlighting how open‑source frameworks can be weaponized at scale.

Scale and Infrastructure

Metric	Detail
Framework	DCloud Uni‑App
Domains Identified	236,493 second‑level domains
Active Since	Mid‑2022
Target Languages	At least 8
Hosting Providers	Cloudflare, Alibaba Cloud, Tencent Cloud, AWS; ~6% on Bulletproof Hosting

Operators are selling investment scam templates, enabling rapid deployment of fraudulent sites. Evidence suggests centralized ownership of large subsets, with coordinated changes and technical fingerprints pointing to organized groups.

Scam Typologies

The DCloud‑powered ecosystem supports diverse fraud schemes:

Fake Crypto Exchanges → Impersonate legitimate platforms, show fictitious trading activity, block withdrawals.
Wallet Drainers → Masquerade as BNB Chain or Tether verification flows to steal assets.
Gambling & Prediction Market Scams → Rigged casinos, lotteries, and Polymarket‑style prediction sites.
WhatsApp Phishing → Credential theft via lookalike domains (e.g., faq-whatsapp-center[.]com).
Brand Impersonation → Fake storefronts mimicking exchanges, retailers, and messaging platforms.
Affiliate Pyramid Schemes → Victims recruited via invitation codes, then converted into recruiters.

Case Studies

RainbowEx Ponzi Scheme (2024): A DCloud‑based fake exchange that defrauded tens of thousands in Argentina before law enforcement arrests.
LSSC Scooter Sharing Scam (2025): A Uni‑App‑powered investment fraud investigated at federal and state levels in the U.S.
Yuechi Sharing Technology Ltd.: Bicycle/scooter investment scam targeting Australia, New Zealand, and the U.S., requiring invitation codes to join.

These examples illustrate how legitimate branding and recruitment mechanics are weaponized to sustain pyramid‑style fraud.

Defensive Recommendations

For users and organizations:

Avoid investment offers via unsolicited links.
Verify domains against official exchange registries.
Enable DNS threat intelligence to block known scam infrastructure.
Educate users on pyramid recruitment tactics and fake verification flows.
Monitor for DCloud fingerprints in enterprise environments.

Expert in the Cloud Insight

The weaponization of DCloud Uni‑App demonstrates how open‑source frameworks can be repurposed for industrial‑scale fraud. By stripping framework fingerprints and leveraging bulletproof hosting, sophisticated operators evade takedowns while expanding globally.

For defenders, the lesson is clear: framework fingerprints are not enough. Security teams must combine DNS intelligence, behavioral monitoring, and user education to counter the next generation of template‑driven scam ecosystems.