Threat intelligence firm **Infoblox** has uncovered a widespread network of over 236,000 scam websites built using **DCloud Uni-App**, a legitimate Chinese open-source, cross-platform application development framework. These sites are designed to facilitate various illicit activities, including bogus cryptocurrency exchanges, multi-language pig-butchering operations, **WhatsApp** phishing networks, fake gambling platforms, brand-impersonation sites, and crypto wallet drainers.  ### The Scale of the Operation **Infoblox**'s DNS threat intelligence identified 236,493 distinct second-level domains implicated in this scam economy. The company noted a significant escalation in the use of the **DCloud** framework for these fraudulent websites over the past two years, with operators continually launching complex schemes to deceive victims. While the exact orchestrators remain unknown, there are indications of centralized ownership across a substantial portion of these **DCloud**-built scam sites. This assessment is based on coordinated drops in new domain registrations across diverse hosts and shared technical fingerprints, communication methods, and hosting decisions. ### Notorious Scams and Common Traits Among the identified domains is the infamous **RainbowEx** platform, a fraudulent cryptocurrency exchange that gained notoriety in late 2024 for operating a **Ponzi** scheme affecting tens of thousands in San Pedro, Argentina. Law enforcement later arrested seven individuals connected to the operation. While the **DCloud Uni-App** framework itself is not inherently malicious, the scam sites share common characteristics: fake brokerage interfaces, cryptocurrency wallet-drainer prompts, gambling interfaces with rigged outcomes, brand-impersonation storefronts, and the use of bulletproof hosting (BPH). These rogue domains span every continent, target speakers of at least eight languages, and impersonate brands ranging from major stock exchanges to retail giants and messaging platforms. The fraudulent activities have been ongoing since mid-2022. ### Two Tiers of Scammers Emerge **Infoblox**'s analysis revealed two distinct populations of **DCloud**-fingerprinted sites: * **Vanilla Tier**: Sites exhibiting the basic signatures of the **DCloud Uni-App** framework, dating back to 2021, encompassing both legitimate Chinese businesses and malicious operations. * **Evasive Tier**: An investment scam-specific subset active since mid-2022, where more sophisticated operators have stripped default **DCloud** scaffolding to evade fingerprint-based identification. Counterintuitively, the investment scam population is larger than what the simple **DCloud** framework fingerprint alone reveals, highlighting the efforts of advanced operators to obscure their tracks.  ### Diverse Fraudulent Schemes The second set of **DCloud** scam websites, run by multiple unrelated operators, includes a wide array of fraudulent schemes: * **Fake Cryptocurrency Exchanges**: Impersonating well-known exchanges, these platforms trick users into making investments, displaying fictitious trading activity until victims attempt withdrawals. * **Cryptocurrency Wallet Drainers**: Enticing users to connect their wallets by masquerading as **BNB Chain** or **Tether** verification flows. * **Prediction Market and Gambling Impersonations**: Imitating **Polymarket**-style prediction markets or fake casinos and lottery platforms. * **WhatsApp and Messaging Platform Phishing**: Aiming to extract credentials by impersonating **WhatsApp**'s Security Help Center through lookalike domains (e.g., "whats-zwp[.]vip" or "faq-whatsapp-center[.]com"). * **Generic Template Phishing**: Simple login and registration pages designed for credential harvesting. ### Real-World Impact and Hosting Trends In the United States, similar playbooks have manifested in publicly known operations, such as the **LSSC scooter sharing investment scam** and an ongoing bicycle sharing investment-themed scam. These schemes often use an "invitation code" gate, requiring new victims to be recruited by existing affiliates, aligning with pyramid scheme models. **Infoblox**'s analysis also revealed that the majority of **DCloud**-built investment scam domains are hosted on legitimate providers like **Cloudflare**, **Alibaba Cloud**, **Tencent Cloud**, and **Amazon Web Services**. However, approximately 6% of visible domains leverage BPH providers such as **CTG Server Limited (AS152194)**, known for resisting takedown requests. Operators in the evasive tier, who go to lengths to obscure framework signatures, are roughly twice as likely to use bulletproof hosting. This suggests a correlation between technical sophistication in evading detection and the choice of hosting providers that resist law enforcement efforts. Conversely, less sophisticated operators, who deploy templates as-is, are more likely to use mainstream hosting, making them easier to identify and remove.