Security researchers at Infoblox have uncovered a large-scale fraud infrastructure using a legitimate Chinese open-source framework as its backbone. Over 236,000 websites built with DCloud Uni-App — a cross-platform application development framework — are being used to power a diverse ecosystem of crypto scams, phishing campaigns, and wallet draining operations.
What Is DCloud Uni-App?
DCloud Uni-App is a legitimate, widely-used Chinese open-source cross-platform application development framework that allows developers to build apps deployable to web, iOS, Android, WeChat Mini Programs, and other platforms from a single codebase. It is comparable to React Native or Flutter in concept.
Because Uni-App is freely available, well-documented, and produces professional-looking applications, it has become an attractive tool for fraud operators who can rapidly spin up convincing fake exchanges, investment platforms, and financial services.
The Fraud Ecosystem
Infoblox's research reveals that the 236,000+ malicious DCloud Uni-App sites are not a single campaign but an interconnected ecosystem of scam templates serving multiple fraud categories:
Pig-Butchering (Investment Fraud)
The largest segment of the identified sites power pig-butchering scams — sophisticated long-con investment fraud where attackers:
- Build trust with victims over weeks or months via messaging apps
- Introduce the victim to a "lucrative" investment opportunity
- Direct victims to a fake cryptocurrency exchange or investment platform
- Allow small initial "profits" to build confidence
- Encourage increasingly large deposits
- Drain the account and disappear
The DCloud Uni-App templates produce polished, mobile-optimized fake exchanges that are nearly indistinguishable from legitimate platforms to an untrained eye.
Bogus Cryptocurrency Exchanges
Hundreds of the identified sites mimic legitimate cryptocurrency exchanges, complete with:
- Live-looking price tickers (often connected to real market data APIs to appear authentic)
- Fake order books and trading interfaces
- Withdrawal restrictions that prevent victims from recovering funds
- Customer support chat staffed by fraud operators
Multi-Language Phishing Kits
The infrastructure supports multi-language phishing targeting victims across multiple geographic regions simultaneously. Templates have been observed in English, Mandarin, Japanese, Korean, Spanish, and other languages — enabling global targeting from a single fraudulent platform.
Wallet Drainers
A subset of the identified sites deploy cryptocurrency wallet drainers — malicious scripts that, when a victim connects their crypto wallet (e.g., MetaMask) to what appears to be a legitimate DeFi platform, automatically drain all available assets.
Wallet drainer sites typically impersonate:
- DeFi protocols and yield farming platforms
- NFT minting sites
- Airdrop claim pages
- Wallet "verification" or "sync" services
Scale and Infrastructure
The 236,000 figure represents only the sites Infoblox was able to identify. The actual scale of the operation is likely larger. Key infrastructure characteristics:
| Metric | Detail |
|---|---|
| Identified sites | 236,000+ |
| Framework | DCloud Uni-App (legitimate, open-source) |
| Languages | Multiple (English, Chinese, Japanese, Korean, Spanish, and more) |
| Fraud types | Pig-butchering, fake exchanges, wallet drainers, phishing |
| Hosting | Distributed across numerous providers |
Why DCloud Uni-App?
The choice of a legitimate open-source framework is deliberate:
- Legitimacy by association — Sites built with real frameworks look and behave like real apps
- Rapid deployment — Pre-built templates allow new scam sites to launch in hours
- Cross-platform reach — The same template works on web and mobile, maximizing victim surface
- Evasion — Security tools scanning for known malicious frameworks won't flag legitimate DCloud code
- Scale — Template-based approach allows thousands of unique domains from minimal effort
This pattern of weaponizing legitimate development tools is increasingly common in fraud infrastructure, making detection harder and cleanup more complex.
Protection Guidance
For Individuals
- Never invest in platforms recommended by strangers online — Pig-butchering begins on dating apps, social media, and messaging platforms
- Verify exchanges independently — Use CoinMarketCap, CoinGecko, or official app stores to find legitimate platforms
- Never connect your wallet to an unfamiliar site — Wallet drainers require your active wallet connection to function
- Be suspicious of guaranteed returns — Legitimate investments do not guarantee profits
- Check domain age — Scam sites are often days or weeks old; use WHOIS to verify
For Organizations and Security Teams
- Block DCloud Uni-App CDN domains if they have no legitimate business use in your environment
- Monitor for wallet-draining script patterns — Known drainer scripts have detectable signatures
- Phishing feed integration — Subscribe to Infoblox Threat Intel and similar feeds that track this infrastructure
- User awareness training — Focus specifically on crypto investment scam patterns and wallet connection risks
For Cryptocurrency Users
- Use a hardware wallet for significant holdings — drainers cannot access funds in hardware wallets without physical confirmation
- Revoke wallet approvals regularly using tools like Revoke.cash
- Never use a primary wallet to interact with new or unverified protocols
- Use a disposable wallet for interacting with new dApps
Key Takeaways
- Over 236,000 websites using the legitimate DCloud Uni-App framework are powering crypto scams
- The ecosystem spans pig-butchering, fake exchanges, multi-language phishing, and wallet drainers
- Multi-language support enables global targeting from centralized fraud infrastructure
- The abuse of legitimate open-source frameworks makes detection significantly harder
- Never connect your wallet to an unverified site — wallet drainers require your active authorization