Over 200,000 websites have been identified as using investment scam templates that leverage the Chinese open-source framework Uni-App, according to cybersecurity firm Infoblox. Uni-App, known for its versatile development capabilities, is widely utilized in legitimate applications across China. However, its misuse by fraudulent actors has raised significant concerns.
Understanding Uni-App’s Role
The Uni-App framework facilitates the creation of Vue.js codebases, enabling deployment as mobile or desktop applications and websites. Despite its legitimate uses, Infoblox’s findings reveal that scammers are exploiting this technology by selling investment scam templates. This has resulted in a significant number of scam websites that appear to be interconnected.
Infoblox’s research indicates a pattern of coordinated activity among these scam sites, with fluctuations in new domain registrations suggesting a centralized control. These developments highlight the need for increased vigilance and accountability in the use of such frameworks.
Scale and Impact of Scam Operations
Infoblox has identified over 236,000 second-level domains as part of this scam infrastructure. These sites range from fake cryptocurrency exchanges to phishing platforms, and impersonation of brands and services. A notable example is the RainbowEx platform, a fraudulent cryptocurrency site that swindled numerous investors in Argentina.
Since mid-2022, these scam domains have proliferated across various hosting providers, with a marked increase from late 2024, following the RainbowEx incident. At its peak, up to 15,000 new scam sites were observed monthly, indicating the widespread adoption of the Uni-App framework by scammers.
Broader Implications and Future Outlook
The bulk of these DCloud-marked sites are investment scams, operated by many independent groups. These include crypto wallet drainers and phishing sites, among others. Notably, the framework has also been used in schemes like Lightning Shared Scooter Co. (LSSC) and Yuechi Sharing Technology Ltd. (YST), which falsely promised high returns to investors.
Infoblox emphasizes the urgency of tracking these threat actors and identifying possible connections indicating shared ownership. Such efforts are crucial in the fight against this growing cybercrime ecosystem.
The expanding use of the DCloud framework in scams underscores a pressing need for comprehensive monitoring and intervention strategies to mitigate the risks posed by these fraudulent networks.
