236,000 DCloud Uni-App Sites Linked to Global Crypto Scams, Phishing, and Wallet Drainers, Researchers Warn
Cybersecurity investigation uncovers massive scam infrastructure abusing a legitimate Chinese app framework to power fake crypto exchanges, phishing portals, and investment fraud across hundreds of thousands of domains.
A major cybersecurity investigation has uncovered one of the largest scam infrastructures documented in recent years, revealing that more than 236,000 websites built using the legitimate DCloud Uni-App development framework have been weaponized for cryptocurrency scams, phishing campaigns, fake investment platforms, and crypto wallet-draining attacks. The findings come from threat intelligence researchers who tracked 236,493 distinct second-level domains associated with the activity.
The research emphasizes that DCloud Uni-App itself is not malicious. Developed by Beijing-based DCloud, Uni-App is a legitimate open-source cross-platform framework that enables developers to build mobile applications and websites from a single codebase, similar to other modern development frameworks. Cybercriminals, however, have exploited its reusable templates to rapidly deploy fraudulent websites at industrial scale.
Investigators say the infrastructure supports a wide variety of online fraud operations. These include fake cryptocurrency exchanges, “deposit-and-trade” investment platforms, multilingual pig-butchering scams, WhatsApp phishing portals, credential-harvesting websites, fake gambling platforms, brand impersonation pages, and sophisticated crypto wallet drainers targeting unsuspecting users worldwide.
The investigation traces the growing abuse of the framework back to mid-2022, with a dramatic acceleration after the widely publicized RainbowEx cryptocurrency fraud scandal in Argentina during 2024. That case exposed thousands of victims who believed they were investing through a legitimate crypto platform, only to discover that trading activity had been fabricated and withdrawals permanently blocked. Researchers later found the platform had been built using Uni-App templates, exposing a much broader criminal ecosystem.
According to researchers, newly observed scam domains built with the framework surged sharply after late 2024, reaching peaks of approximately 15,000 new fraudulent websites per month. Analysts believe publicity surrounding RainbowEx inadvertently increased awareness of the framework within cybercriminal communities, accelerating its adoption across multiple fraud groups rather than a single centralized organization.
Beyond cryptocurrency investment scams, researchers identified phishing campaigns impersonating trusted services such as WhatsApp, financial institutions, cryptocurrency verification portals, and stock exchanges. Many of these sites mimic legitimate login pages before prompting victims to connect digital wallets or submit credentials, allowing attackers to steal authentication details or drain cryptocurrency holdings.
The report also links the framework to real-world investment schemes beyond traditional crypto fraud. Examples include fraudulent investment operations that promoted scooter-sharing businesses in the United States, Australia, and New Zealand while directing victims to professionally designed Uni-App-powered portals that projected an appearance of legitimacy.
Cybersecurity experts caution that the threat extends beyond individual consumers. Enterprise environments are increasingly exposed as employees encounter malicious links distributed through messaging platforms, social media, and online advertisements. Researchers observed millions of attempted connections to this infrastructure originating from organizations across numerous industries, highlighting how consumer-focused scams are increasingly intersecting with corporate cybersecurity risks.
Security professionals recommend that organizations strengthen domain filtering, monitor newly registered domains, educate users about fake investment opportunities, verify cryptocurrency platforms independently, and avoid connecting digital wallets to unfamiliar websites. Users are also advised to treat unsolicited investment offers and guaranteed high-return schemes with extreme caution, as attackers continue refining professionally designed scam portals that closely resemble legitimate financial services.
The discovery illustrates a broader trend in cybercrime: attackers increasingly rely on legitimate development tools to mass-produce convincing fraudulent platforms rather than building custom infrastructure from scratch. As cybersecurity firms continue mapping this expanding ecosystem, researchers believe coordinated international efforts will be necessary to identify shared infrastructure, disrupt malicious hosting networks, and reduce the growing global impact of large-scale online investment fraud.
