A new Infoblox Threat Intel report reveals that the legitimate DCloud Uni-App framework has become a foundation for a global online scam ecosystem.
Researchers identified more than 236,000 scam domains built with DCloud Uni-App, including fake crypto exchanges, phishing sites, gambling platforms, and investment scams.
Key Takeaways
- Researchers linked more than 236,000 scam domains to the legitimate DCloud Uni-App framework, demonstrating how threat actors are scaling online fraud.
- The infrastructure supports fake cryptocurrency exchanges, phishing campaigns, gambling platforms, investment scams, and other fraudulent websites.
- Infoblox observed nearly 1,000 enterprise organizations generating more than five million DNS lookups to DCloud-based scam infrastructure, highlighting enterprise exposure through employee activity.
- Threat actors are using increasingly sophisticated tactics, including legitimate government registrations and bulletproof hosting services, to make scams appear more credible and resist disruption.
DCloud Powers a Large-Scale Scam Ecosystem
The researchers found the infrastructure has expanded rapidly since mid-2022, reaching a peak of approximately 15,000 new scam sites each month following publicity surrounding the RainbowEx cryptocurrency fraud.
Rather than representing a single criminal operation, the researchers found evidence that multiple threat actors use similar DCloud-based templates to launch various fraudulent services.
These include:
- Fake cryptocurrency exchanges
- Cryptocurrency wallet-draining websites
- Gambling and prediction market scams
- WhatsApp credential phishing pages
- Generic investment and pyramid schemes
The framework allows operators to quickly deploy convincing websites while reusing common code, registration workflows, and user interfaces across numerous campaigns.
Investment Scams Continue Expanding
The report traces the same technical template used in Argentina’s widely publicized RainbowEx cryptocurrency scam to operations actively targeting U.S. victims.
Researchers highlighted an ongoing bicycle-sharing investment scam that presents itself as a legitimate business while displaying a real U.S. Financial Crimes Enforcement Network (FinCEN) Money Services Business registration.
Although the registration is authentic, Infoblox notes that FinCEN explicitly warns consumers that registration alone should not be interpreted as government approval or proof of legitimacy.
The report also connects DCloud infrastructure to the previous Lightning Shared Scooter Co. (LSSC) investment scheme, which reportedly caused millions of dollars in losses across numerous U.S. states after convincing victims to invest in fictional scooter-sharing operations.
Enterprise Networks Are Seeing Significant Exposure
Although these scams primarily target consumers rather than businesses, the research demonstrates measurable enterprise exposure.
Infoblox observed approximately 985 enterprise organizations across 25 industries with devices attempting to access DCloud-based scam infrastructure.
Collectively, those organizations generated more than five million DNS lookups to identified scam domains.
Rather than indicating direct attacks against corporate networks, researchers believe this activity reflects employees accessing scam websites from corporate devices or while connected to enterprise networks.
How to Reduce Risk
Infoblox recommends organizations reduce risk by combining DNS-layer protection with broader employee awareness training.
DNS-layer security can block known scam domains before users reach them, while expanded awareness training should cover consumer investment scams, fake cryptocurrency platforms, and social engineering tactics.
Organizations should also educate users that government registrations, including FinCEN listings, do not validate an investment opportunity’s legitimacy and monitor DNS activity for connections to known scam infrastructure.
The researchers added that more sophisticated operators increasingly rely on bulletproof hosting services that are more resistant to takedown efforts.
Bottom Line
The Infoblox research demonstrates how legitimate development frameworks can be repurposed at scale by cybercriminals to rapidly launch convincing fraud campaigns.
As scam campaigns become more sophisticated, zero trust solutions can help organizations continuously verify users and devices before granting access to critical resources.