A Chinese open-source development framework has become the silent engine behind one of the largest scam networks ever documented.
Known as DCloud Uni-App, the cross-platform toolkit was designed for legitimate app development but has been repurposed by cybercriminals to run a sprawling operation involving fake crypto exchanges, phishing sites, and investment traps.
More than 236,000 fraudulent second-level domains have been tied to this single framework, making it one of the most weaponized development tools in recent cybercrime history.
The scale of this threat became clear after the 2024 RainbowEx scandal, which drew international attention when thousands of residents in the small Argentine town of San Pedro were defrauded through a fake cryptocurrency platform.
RainbowEx was built using DCloud Uni-App, and that discovery opened the door to a far wider investigation. Researchers found that the platform was not an isolated case but a visible tip of a deeper and more organized criminal infrastructure operating across borders.
Analysts from Infoblox said in a report shared with Cyber Security News (CSN) that the DCloud Uni-App framework underpins at least 236,493 distinct second-level domains operating as scam infrastructure.
The researchers also clarified that DCloud itself is not involved in any fraudulent activity. It is a legitimate Chinese software company, and the framework is widely used by thousands of businesses across mainland China.
The abuse is entirely the work of bad actors who have chosen this toolkit as their preferred building block for large-scale fraud.
The reach of this scam ecosystem is global and multilingual, targeting speakers of at least eight languages, impersonating major stock exchanges, and draining crypto wallets from unsuspecting users.
After the RainbowEx scandal broke internationally in October 2024, newly observed DCloud-based scam sites jumped to roughly 15,000 per month at peak.
That sharp rise suggests awareness in the criminal underground only accelerated further adoption of this framework among fraud operators worldwide.
DCloud Uni-App Scam Network Powers RainbowEx-Style Crypto Fraud
The RainbowEx-style investment scam sites represent the largest category within the DCloud network.
These platforms impersonate well-known cryptocurrency exchanges or use fictional names like DawnEx or CoinXPro to invoke legitimacy without infringing on registered trademarks.
![Screenshot of a DCloud-built site (hkxiu[.]com) impersonating the Hong Kong Stock Exchange (Source - Infoblox)](https://blog.shomoysoft.com/storage/blog-images/screenshot20of20a20dcloud-built20site20hkxiu5b5dcom20impersonating20the20hong20kong20stock20exchange20source20-20infoblox-e4d5dda4.webp)
Victims are shown fabricated trading activity after depositing funds through Tether or other stablecoins, and when they attempt to withdraw, the money simply disappears.
Two physical-world operations also link back to this infrastructure. Lightning Shared Scooter Co. defrauded investors in the United States through a Uni-App-powered portal that promised passive revenue through a scooter-sharing business model.
A similar operation, Yuechi Sharing Technology Ltd., active in Australia, New Zealand, and the United States, was also built on the same framework, with legitimate-looking registration documents masking its ties to a broader interconnected scam network.
WhatsApp Phishing and Multi-Platform Credential Harvesting
Beyond crypto fraud, threat actors are using DCloud to build WhatsApp phishing sites at scale. These templates mimic the WhatsApp Security Help Center or similar trusted interfaces to trick users into surrendering credentials and account access.
Seven WhatsApp-themed scam domains using variants like whatsapzentr.com and whatsaprs.vipl were observed in active use over the past year, with one site presenting itself as a generic login and verification platform.
Many of these phishing pages look deceptively simple, featuring a stock background photo, basic login fields, and a few social media links.
That simplicity is strategic since a clean, non-suspicious page reduces the chance a visitor leaves before engaging with the site.
Victims are then prompted to connect or verify a crypto wallet, which triggers BNB Chain or Tether verification flows before the connected wallet is quietly drained.
Infoblox researchers recommend that organizations block known DCloud technical fingerprints at the DNS level to separate malicious scam sites from legitimate ones.
DNS-based protection platforms that integrate this intelligence can automatically flag these threats and protect users across multiple industries.
For the last two years, scam sites built on DCloud have scaled dramatically, and tracking shared ownership patterns across this entire ecosystem is now long overdue.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | hakxiyu.com | DCloud-built site impersonating the Hong Kong Stock Exchange (HK1M) crypto exchange |
| Domain | nasqpro.top | DCloud-built investment scam site impersonating the NasQ exchange |
| Domain | pkvviews.com | DCloud-built crypto wallet drainer impersonating BNB Chain verification |
| Domain | polymarkt.com | DCloud-built Polymarkets-style prediction market targeting Portuguese and Spanish speakers |
| Domain | menoloptrap.com | DCloud-built scam-lining site targeting Portuguese and Spanish speakers |
| Domain | qwhatsappenter.com | DCloud-built WhatsApp phishing template presenting as a Help Center verification page |
| Domain | lessol.com | DCloud-built generic rental collection page used in scam infrastructure |
| Domain | whatsapzentr.com | WhatsApp phishing domain using DCloud framework, impersonating WhatsApp Help Center |
| Domain | whatsaprs.vipl | WhatsApp-themed DCloud-built phishing domain targeting user credentials |
| Domain | whatsapus.vipl | WhatsApp-themed DCloud-built phishing domain for credential harvesting |
| Domain | whatsap.vipl | WhatsApp-themed DCloud-built phishing/credential collection domain |
| Domain | whatsapwap.vipl | WhatsApp-themed DCloud-built phishing domain observed in active use |
| Domain | whatsapi.vipl | WhatsApp-themed DCloud-built phishing domain observed in active use |
| Domain | whatsapn.vipl | WhatsApp-themed DCloud-built phishing domain observed in active use |
| Domain | lssoc.com | Domain used by Lightning Shared Scooter Co. (LSSC) investment scam, Uni-App frontend |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
