Chinese Framework Powers 200,000 Scam Sites

Summary

Threat actors are leveraging China's open-source Uni-App framework to build and sell investment scam templates, leading to over 200,000 scam websites. These sites range from fake crypto exchanges to phishing and brand impersonation, with some linked to notorious operations like RainbowEx. Infoblox observed a significant increase in new scam sites using the framework since late 2024, indicating its growing popularity within the scam operator ecosystem.

Full text

More than 200,000 websites are using investment scam templates built with the Chinese open source framework Uni-App, Infoblox reports. A cross-platform development toolkit, Uni-App allows developers to create Vue.js codebases that can be deployed as mobile and desktop applications, or as mobile-optimized websites simultaneously. Widely used in China and supported by a developer ecosystem, the framework powers thousands of legitimate products, and its maker DCloud does not appear to be involved in its fraudulent use. However, Infoblox discovered that threat actors are selling investment scam templates, and that numerous scam websites using such templates appear linked to the same cluster of activity. “Beyond the technical connections, we also uncovered patterns in the growth of the DCloud investment sites, along with coordinated dips in new domain registrations seen across scam websites on diverse hosts, an indication of a centralized owner facing disruption or making coordinated changes across all their DCloud investment scam sites,” the cybersecurity firm notes. Infoblox identified over 236,000 second-level domains powering the scam infrastructure, ranging from fake crypto exchanges to fake gambling, brand impersonation, WhatsApp phishing, and multi-language pig-butchering websites.Advertisement. Scroll to continue reading. Among them is the infamous RainbowEx platform, a fake cryptocurrency platform that made international headlines after thousands of residents of a small Argentine town were duped into pouring money into it. Hosted across numerous providers, the scam second-level domains have been launched since mid-2022, with an increase observed since late 2024, after the RainbowEx scandal. “After October 2024, that figure jumped to roughly 15,000 newly observed sites per month at peak. The framework appears to have become a known platform within the scam-operator ecosystem due to the coverage it received by major news outlets,” Infoblox notes. The largest portion of DCloud-fingerprinted sites consists of investment scam domains, run by multiple unrelated operators, “possibly dozens, even hundreds,” the cybersecurity firm says. In addition to fake cryptocurrency exchanges and ‘deposit-and-trade’ platforms, they also include crypto wallet drainers, prediction-market and gambling impersonators, messaging platform phishing, and other phishing and credential-harvesting sites. Lightning Shared Scooter Co. (LSSC), an operation that likely caused millions of dollars in losses in the US, was also using Uni-App. It promised investors sharp increases in passive revenue through funding a high-tech scooter-sharing company, and increased its sense of legitimacy through physical storefronts. A similar scooter-investment operation, Yuechi Sharing Technology Ltd. (YST), currently active in Australia, New Zealand, and the United States, also has a frontend built using the Uni-App framework. YST, Infoblox says, has legitimate registration paperwork but is connected to a network of other investment-scam websites. “For the last two years, there’s been a dramatic scaling up of scam websites using the DCloud framework, and operators of these sites continue to launch complex real-world schemes to trick victims. It’s overdue to holistically track threat actors operating in this ecosystem and attempt to identify commonalities that indicate shared ownership of the sites,” Infoblox notes. Related: In Other News: Palo Alto Recruiter Scam, Anti-Deepfake Chip, Google Sets 2029 Quantum Deadline Related: Google, Meta, Microsoft Among Signatories of Pact to Combat Scams Related: Meta Launches New Protection Tools as It Helps Disrupt Scam Centers Related: Researchers Expose Network of 150 Cloned Law Firm Websites in AI-Powered Scam Campaign Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Runlayer Raises $30 Million in Series A FundingGitLab Patches Code Execution, Information Disclosure Vulnerabilities25-Year-Old Vulnerability Patched in CurlNIST Opens Updated IoT Security Guidance to Public ReviewChrome 149 Update Resolves 18 Severe VulnerabilitiesCritical Ubiquiti Vulnerabilities in Attackers’ CrosshairsNew ‘Mistic’ RAT Opens Door to Several Ransomware FamiliesExploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking Latest News Amazon Q Flaw Enabled Cloud Credential Theft via Malicious RepositoriesMore Klue Breach Victims Identified as Hackers Get HackedIn Other News: Chinese Mythos-Like AI, Tata Electronics Breach, Snyk LayoffsNebulock Raises $25 Million for AI-Native Contextual SecurityLinux Foundation Unveils New Open Source Security Project Akrites$3 Million Reportedly Stolen in Polymarket HackRussian APT Deploys ‘StockStay’ Backdoor Against Ukrainian TargetsFirst-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveMark Carter has been appointed Chief Information Security Officer at Socure.Spektrum Labs has named Mark Cravotta Chief Operating Officer.Philip Martin has joined Uber as Chief Information Security Officer.More People On The MoveExpert Insights When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Entities