Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. 236,000 DCloud Uni-App Sites Powering Crypto Scams and Wallet Drainers
236,000 DCloud Uni-App Sites Powering Crypto Scams and Wallet Drainers
NEWS

236,000 DCloud Uni-App Sites Powering Crypto Scams and Wallet Drainers

Infoblox researchers have uncovered over 236,000 websites built on the legitimate DCloud Uni-App framework being weaponized for investment scams,...

Dylan H.

News Desk

June 29, 2026
5 min read

Security researchers at Infoblox have uncovered a large-scale fraud infrastructure using a legitimate Chinese open-source framework as its backbone. Over 236,000 websites built with DCloud Uni-App — a cross-platform application development framework — are being used to power a diverse ecosystem of crypto scams, phishing campaigns, and wallet draining operations.

What Is DCloud Uni-App?

DCloud Uni-App is a legitimate, widely-used Chinese open-source cross-platform application development framework that allows developers to build apps deployable to web, iOS, Android, WeChat Mini Programs, and other platforms from a single codebase. It is comparable to React Native or Flutter in concept.

Because Uni-App is freely available, well-documented, and produces professional-looking applications, it has become an attractive tool for fraud operators who can rapidly spin up convincing fake exchanges, investment platforms, and financial services.

The Fraud Ecosystem

Infoblox's research reveals that the 236,000+ malicious DCloud Uni-App sites are not a single campaign but an interconnected ecosystem of scam templates serving multiple fraud categories:

Pig-Butchering (Investment Fraud)

The largest segment of the identified sites power pig-butchering scams — sophisticated long-con investment fraud where attackers:

  1. Build trust with victims over weeks or months via messaging apps
  2. Introduce the victim to a "lucrative" investment opportunity
  3. Direct victims to a fake cryptocurrency exchange or investment platform
  4. Allow small initial "profits" to build confidence
  5. Encourage increasingly large deposits
  6. Drain the account and disappear

The DCloud Uni-App templates produce polished, mobile-optimized fake exchanges that are nearly indistinguishable from legitimate platforms to an untrained eye.

Bogus Cryptocurrency Exchanges

Hundreds of the identified sites mimic legitimate cryptocurrency exchanges, complete with:

  • Live-looking price tickers (often connected to real market data APIs to appear authentic)
  • Fake order books and trading interfaces
  • Withdrawal restrictions that prevent victims from recovering funds
  • Customer support chat staffed by fraud operators

Multi-Language Phishing Kits

The infrastructure supports multi-language phishing targeting victims across multiple geographic regions simultaneously. Templates have been observed in English, Mandarin, Japanese, Korean, Spanish, and other languages — enabling global targeting from a single fraudulent platform.

Wallet Drainers

A subset of the identified sites deploy cryptocurrency wallet drainers — malicious scripts that, when a victim connects their crypto wallet (e.g., MetaMask) to what appears to be a legitimate DeFi platform, automatically drain all available assets.

Wallet drainer sites typically impersonate:

  • DeFi protocols and yield farming platforms
  • NFT minting sites
  • Airdrop claim pages
  • Wallet "verification" or "sync" services

Scale and Infrastructure

The 236,000 figure represents only the sites Infoblox was able to identify. The actual scale of the operation is likely larger. Key infrastructure characteristics:

MetricDetail
Identified sites236,000+
FrameworkDCloud Uni-App (legitimate, open-source)
LanguagesMultiple (English, Chinese, Japanese, Korean, Spanish, and more)
Fraud typesPig-butchering, fake exchanges, wallet drainers, phishing
HostingDistributed across numerous providers

Why DCloud Uni-App?

The choice of a legitimate open-source framework is deliberate:

  1. Legitimacy by association — Sites built with real frameworks look and behave like real apps
  2. Rapid deployment — Pre-built templates allow new scam sites to launch in hours
  3. Cross-platform reach — The same template works on web and mobile, maximizing victim surface
  4. Evasion — Security tools scanning for known malicious frameworks won't flag legitimate DCloud code
  5. Scale — Template-based approach allows thousands of unique domains from minimal effort

This pattern of weaponizing legitimate development tools is increasingly common in fraud infrastructure, making detection harder and cleanup more complex.

Protection Guidance

For Individuals

  • Never invest in platforms recommended by strangers online — Pig-butchering begins on dating apps, social media, and messaging platforms
  • Verify exchanges independently — Use CoinMarketCap, CoinGecko, or official app stores to find legitimate platforms
  • Never connect your wallet to an unfamiliar site — Wallet drainers require your active wallet connection to function
  • Be suspicious of guaranteed returns — Legitimate investments do not guarantee profits
  • Check domain age — Scam sites are often days or weeks old; use WHOIS to verify

For Organizations and Security Teams

  • Block DCloud Uni-App CDN domains if they have no legitimate business use in your environment
  • Monitor for wallet-draining script patterns — Known drainer scripts have detectable signatures
  • Phishing feed integration — Subscribe to Infoblox Threat Intel and similar feeds that track this infrastructure
  • User awareness training — Focus specifically on crypto investment scam patterns and wallet connection risks

For Cryptocurrency Users

  1. Use a hardware wallet for significant holdings — drainers cannot access funds in hardware wallets without physical confirmation
  2. Revoke wallet approvals regularly using tools like Revoke.cash
  3. Never use a primary wallet to interact with new or unverified protocols
  4. Use a disposable wallet for interacting with new dApps

Key Takeaways

  • Over 236,000 websites using the legitimate DCloud Uni-App framework are powering crypto scams
  • The ecosystem spans pig-butchering, fake exchanges, multi-language phishing, and wallet drainers
  • Multi-language support enables global targeting from centralized fraud infrastructure
  • The abuse of legitimate open-source frameworks makes detection significantly harder
  • Never connect your wallet to an unverified site — wallet drainers require your active authorization

References

  • The Hacker News — 236,000 DCloud Uni-App Sites Used in Crypto Scams, Phishing, and Wallet Drainers
  • Infoblox Threat Intelligence
  • DCloud Uni-App Framework
#Phishing#Cloud Security#The Hacker News#Cryptocurrency#Fraud#DCloud#Infoblox

Related Articles

Chinese DCloud Uni-App Framework Powers 200,000+ Global Investment Scam Sites

Researchers at Infoblox documented how the legitimate DCloud Uni-App cross-platform development framework has been weaponized to power over 236,000 scam...

5 min read

Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive

Researchers at Infoblox and Confiant have uncovered a dual-threat fraud operation active since 2020: fake CAPTCHA pages secretly send up to 50...

6 min read

Gamaredon Expands Ukraine Attacks with New Malware and Cloud Abuse

Russian FSB-linked APT group Gamaredon has mounted 35 distinct spear-phishing campaigns against Ukrainian targets in 2025, deploying an expanded malware...

5 min read
Back to all News