New findings unearthed by Infoblox show that more than 236,000 websites are using investment scam templates built using a legitimate Chinese open-source, cross-platform application development framework called DCloud Uni-App.
The templates power bogus cryptocurrency exchanges, multi-language pig-butchering operations, WhatsApp phishing networks, fake gambling platforms, brand-impersonation sites, and crypto wallet drainers. A total of 236,493 distinct second-level domains have been identified by the DNS threat intelligence company.
“For the last two years, there’s been a dramatic scaling up of scam websites using the DCloud framework, and operators of these sites continue to launch complex real-world schemes to trick victims,” Infoblox said in an exhaustive report published last week.
It’s being assessed that unknown threat actors are selling DCloud investment scam templates, although there are indications of centralized ownership across a significant chunk of the DCloud-built investment scam websites.
This is based on drops in new domain registrations observed across scam websites on diverse hosts, raising the possibility that a centralized party is either facing disruption or making coordinated changes to their DCloud investment scam sites. Other signs include specific technical fingerprints, communication methods to victims, and hosting decisions.
Among the identified domains is the infamous RainbowEx platform, a bogus cryptocurrency exchange that made headlines in late 2024 for operating a Ponzi scheme that impacted tens of thousands of people living in San Pedro, Argentina. Later that year, seven people linked to the operation were arrested by law enforcement authorities.
While the use of DCloud itself is not an indicator of malicious intent, Infoblox said it has some common traits among them: fake brokerage interfaces, cryptocurrency wallet-drainer prompts, gambling interfaces with rigged outcomes, brand-impersonation storefronts, and bulletproof hosting (BPH).
The rogue domains span every continent, target speakers of at least eight languages, and masquerade as brands ranging from major stock exchanges to retail giants to messaging platforms, the company said. The fraudulent operations have been ongoing since mid-2022. From the DCloud-fingerprinted sites, two related but distinct populations have emerged –
- Sites carrying the DCloud Uni-App framework’s basic signatures that go back to 2021 and include both legitimate Chinese businesses and malicious operations
- An investment scam-specific subset that has been active since mid-2022
“Counterintuitively, the investment scam population is larger than what the simple DCloud framework fingerprint alone reveals, because more sophisticated operators have stripped the default DCloud scaffolding to evade fingerprint-based identification,” Infoblox noted.
The second set DCloud scam websites is run by multiple unrelated operators, comprising a wide variety of fraudulent schemes –
- Fake cryptocurrency exchanges and deposit-and-trade platforms that impersonate well-known exchanges and trick users into making investments, displaying fictitious trading activity until the victims attempt to withdraw their funds
- Cryptocurrency wallet drainers that entice users into connecting their wallets by masquerading as BNB Chain or Tether verification flows
- Prediction-market and gambling impersonations that imitate Polymarket-style prediction markets, or fake casinos and lottery platforms
- WhatsApp and messaging platform phishing that aim to extract credentials by impersonating WhatsApp’s Security Help Center using lookalike domains (e.g., “whats-zwp[.]vip” or “faq-whatsapp-center[.]com”)
- Generic template phishing and credential collection that feature simple login and registration pages
“In the United States, the same playbook has now manifested twice in publicly known operations: first in the LSSC scooter sharing investment scam that scaled into a major federal-and-state fraud investigation last year, and second in a bicycle sharing investment-themed scam that is actively recruiting victims right now under a U.K.-registered corporate front with a genuine U.S. federal money-services license,” the company said.
The scooter investment scam built using the Uni-App framework is being operated under the Yuechi Sharing Technology Ltd. brand, and primarily targets Australia, New Zealand, and the U.S. Yuechi’s front-end features a login or registration form, the latter of which prompts users to enter their phone number, SMS verification code, and an invitation code that’s shared by an existing affiliate of the pyramid scheme.
“The invitation code gate is common across investment scam websites: a prospective victim cannot create an account or reach the deposit screen without first being recruited by an existing affiliate,” Infoblox explained. “This requirement aligns with the fact that most operators seek to convert each victim into a recruiter who will then try to recruit their own friends, family, and co-workers to bring in more investments and build out the pyramid.”
The site also incorporates a customer service component that redirects victims to an off-platform branded chat to handle issues like registration errors, withdrawal blocks, and deposit holds.
What’s more, Infoblox’s analysis of the DCloud-built investment scam infrastructure has revealed that the majority of the domains are hosted on legitimate providers such as Cloudflare, Alibaba Cloud, Tencent Cloud, and Amazon Web Services. About 6% of visible DCloud-built investment scam domains have been found to leverage BPH providers like CTG Server Limited (AS152194), which has been previously flagged for malicious cyber activity.
“Sites in the evasive tier, where operators took the trouble to obscure the framework signature, run on bulletproof hosting at roughly double the rate of the vanilla tier,” the company said, where the vanilla tier refers to scam sites that carry the default DCloud framework fingerprint, while the evasive tier consists of sites that don’t carry the fingerprint.
“The interpretation is straightforward: Operators sophisticated enough to recognize and strip framework fingerprints are also operators sophisticated enough to seek out infrastructure providers that resist takedown requests. The two behaviors tend to go hand in hand. Conversely, the cheapest and least sophisticated operators, those who download a template and deploy it as-is, are also the most likely to be using mainstream hosting, where they are simultaneously easier to identify and easier to remove.”
